Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Heur.7529.3828.exe

Overview

General Information

Sample name:SecuriteInfo.com.Heur.7529.3828.exe
Analysis ID:1502166
MD5:6eec575753a25441c6fade4f961195c4
SHA1:69ba87145777b46ca4e06c5563ebe77d4394d9e7
SHA256:85433453aa370dd4059262be9a53d8cfed907908d7728226462a5fa6a667e921
Tags:exe
Infos:

Detection

Score:39
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Deletes shadow drive data (may be related to ransomware)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Heur.7529.3828.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    SecuriteInfo.com.Heur.7529.3828.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2102917811.0000000000A86000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
          Process Memory Space: SecuriteInfo.com.Heur.7529.3828.exe PID: 1176JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: certificate valid
            Source: unknownHTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49715 version: TLS 1.2
            Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tst\sqlite_bld_dir\2\sqlite3.pdb source: SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.dr
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: z:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: x:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: v:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: t:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: r:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: p:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: n:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: l:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: j:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: h:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: f:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: b:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: y:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: w:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: u:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: s:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: q:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: o:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: m:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: k:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: i:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: g:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: e:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: c:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile opened: a:Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFD1B4 FindFirstFileW,FindClose,0_2_05BFD1B4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C12E28 FindFirstFileW,FindClose,0_2_05C12E28
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFCBE8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_05BFCBE8
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: */*User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: www.privazer.com
            Source: global trafficHTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: */*User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: privazer.com
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: */*User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: www.privazer.com
            Source: global trafficHTTP traffic detected: GET /new_version_4.0.092.txt HTTP/1.1Cache-Control: no-cacheConnection: ClosePragma: no-cacheAccept: */*User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)Host: privazer.com
            Source: global trafficDNS traffic detected: DNS query: www.privazer.com
            Source: global trafficDNS traffic detected: DNS query: privazer.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 09:27:20 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: close
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001B8D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://privazer.com/downloadupdate.php?changelog
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drString found in binary or memory: http://www.privazer.com
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: http://www.privazer.com/
            Source: SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.drString found in binary or memory: http://www.sqlite.org/copyright.html.
            Source: leveldb-viewer.exe.0.drString found in binary or memory: https://gcc.gnu.org/bugs/):
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001FFA000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://privazer.com/bug-madexcept.php
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://privazer.com/latest_donations.php
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://privazer.com/latest_donations.phpmsctls_progress32
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009A27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://privazer.com/new_version_4.0.092.txt
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://privazer.com/new_version_4.0.092.txttxt7
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drString found in binary or memory: https://sectigo.com/CPS0
            Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drString found in binary or memory: https://sectigo.com/CPS0B
            Source: SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drString found in binary or memory: https://sectigo.com/CPS0D
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.privazer.com/G
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/PrivaZer.exe
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/PrivaZer_Pro.exe
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/changelog.php
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/changelog.phpopenU
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/download-pro.php
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.php3
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.phpS
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/exit_unicode.php?country=
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/language_alert.php
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/language_alert.phpopen
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/latest_donations.php
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/my_latest_donation.php?email=
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/new_version_4.0.092.txt
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/order-privazer.htm
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/order-privazer.htmopen
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php?donors=1&left=
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=1
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=1https://www.privazer.com/pay-EUR-GBP.phpS
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopen
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenJRUN_A_CLEANUP_AT_PC_STARTUP_NOTIFY_ME
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenS
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenSVW
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/pay-EUR-GBP.phpopenU
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/support.php
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/support.phpopen
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/support.phpopenU
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.com/version-difference.php
            Source: SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drString found in binary or memory: https://www.privazer.com0
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.00000000099AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.privazer.com:443/new_version_4.0.092.txt
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: https://www.privazer.comhttps://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/versio
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownHTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 94.23.156.117:443 -> 192.168.2.6:49715 version: TLS 1.2
            Source: Yara matchFile source: SecuriteInfo.com.Heur.7529.3828.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.2102917811.0000000000A86000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Heur.7529.3828.exe PID: 1176, type: MEMORYSTR

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Deletes shadow drive data (may be related to ransomware)
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: /K vssadmin delete shadows /for=c: /oldest /QUIET
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: H/K vssadmin delete shadows /for=c: /oldest /QUIETC:\\
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: /C vssadmin delete shadows /for=
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: /C vssadmin delete shadows /for=
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: /K vssadmin delete shadows /for=c: /oldest /QUIET
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: H/K vssadmin delete shadows /for=c: /oldest /QUIETC:\\
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: /C vssadmin delete shadows /for=
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: /C vssadmin delete shadows /for=
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CA85C80_2_05CA85C8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CA84D80_2_05CA84D8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CA83B80_2_05CA83B8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CA82C80_2_05CA82C8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CA6ED80_2_05CA6ED8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C3080C0_2_05C3080C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CB174C0_2_05CB174C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CA71B80_2_05CA71B8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFB96C0_2_05BFB96C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CB18900_2_05CB1890
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: String function: 05BFBD44 appears 37 times
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: Resource name: EXEFILE type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: Resource name: EXEFILE type: PE32 executable (console) Intel 80386, for MS Windows
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: Resource name: EXEFILE type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: Resource name: EXEFILE type: PE32 executable (GUI) Intel 80386, for MS Windows
            Source: leveldb-viewer.exe.0.drStatic PE information: Number of sections : 16 > 10
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.7529.3828.exe
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename" vs SecuriteInfo.com.Heur.7529.3828.exe
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001FFA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameprivaZer2 vs SecuriteInfo.com.Heur.7529.3828.exe
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3370847342.00000000009CD000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.7529.3828.exe
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.7529.3828.exe
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: classification engineClassification label: sus39.rans.evad.winEXE@1/9@2/1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C1310C GetDiskFreeSpaceW,0_2_05C1310C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CAAE54 FindResourceW,LoadResource,SizeofResource,LockResource,0_2_05CAAE54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile created: C:\Users\user\Desktop\PrivaZer.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMutant created: NULL
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$498
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMutant created: \Sessions\1\BaseNamedObjects\mutex_PrivaZer_appli
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$498
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile created: C:\Users\user\AppData\Local\Temp\SecuriteInfo.com.Heur.7529.3828.madExceptJump to behavior
            Source: Yara matchFile source: SecuriteInfo.com.Heur.7529.3828.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile read: C:\Program Files\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001271000.00000002.00000001.01000000.00000003.sdmp, sqlite3.dll.0.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: 250-STARTTLS
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: /Address family not supported by protocol family
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: -stop
            Source: SecuriteInfo.com.Heur.7529.3828.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: msi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: faultrep.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: dbgcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: esent.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: olepro32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: websocket.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: fmifs.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: ifsutil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: srclient.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: spp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: thumbcache.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile written: C:\Users\user\AppData\Local\Temp\000\data.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: OK
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAutomated click: Next >
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: certificate valid
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic file information: File size 29240904 > 1048576
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: Raw size of CODE is bigger than: 0x100000 < 0x63de00
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x152ee00
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: More than 200 imports for kernel32.dll
            Source: SecuriteInfo.com.Heur.7529.3828.exeStatic PE information: More than 200 imports for user32.dll
            Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tst\sqlite_bld_dir\2\sqlite3.pdb source: SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.dr
            Source: sqlite3.dll.0.drStatic PE information: section name: .00cfg
            Source: json.dll.0.drStatic PE information: section name: .didata
            Source: leveldb-viewer.exe.0.drStatic PE information: section name: /4
            Source: leveldb-viewer.exe.0.drStatic PE information: section name: /14
            Source: leveldb-viewer.exe.0.drStatic PE information: section name: /29
            Source: leveldb-viewer.exe.0.drStatic PE information: section name: /41
            Source: leveldb-viewer.exe.0.drStatic PE information: section name: /55
            Source: leveldb-viewer.exe.0.drStatic PE information: section name: /67
            Source: leveldb-viewer.exe.0.drStatic PE information: section name: /80
            Source: leveldb-viewer.exe.0.drStatic PE information: section name: /91
            Source: leveldb-viewer.exe.0.drStatic PE information: section name: /102
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C54474 push 05C544CAh; ret 0_2_05C544C2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CC4438 push ecx; mov dword ptr [esp], ecx0_2_05CC443C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C0A7FC push ecx; mov dword ptr [esp], eax0_2_05C0A7FE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFE7E4 push ecx; mov dword ptr [esp], edx0_2_05BFE7E5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFE7CC push ecx; mov dword ptr [esp], edx0_2_05BFE7CD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFE6B8 push ecx; mov dword ptr [esp], edx0_2_05BFE6B9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFE692 push ecx; mov dword ptr [esp], edx0_2_05BFE695
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFE6DA push ecx; mov dword ptr [esp], edx0_2_05BFE6DD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFE634 push ecx; mov dword ptr [esp], edx0_2_05BFE635
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFE64C push ecx; mov dword ptr [esp], edx0_2_05BFE64D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFE640 push ecx; mov dword ptr [esp], edx0_2_05BFE641
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CC2160 push ecx; mov dword ptr [esp], ecx0_2_05CC2164
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C56124 push ecx; mov dword ptr [esp], ecx0_2_05C56128
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFE01C push ecx; mov dword ptr [esp], edx0_2_05BFE01D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C5C3C8 push ecx; mov dword ptr [esp], ecx0_2_05C5C3CC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C5E36C push ecx; mov dword ptr [esp], ecx0_2_05C5E370
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CBE31C push 05CBE38Eh; ret 0_2_05CBE386
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CBE2E0 push ecx; mov dword ptr [esp], edx0_2_05CBE2E5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CC4248 push ecx; mov dword ptr [esp], ecx0_2_05CC424C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C5A214 push ecx; mov dword ptr [esp], ecx0_2_05C5A218
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C58D40 push ecx; mov dword ptr [esp], ecx0_2_05C58D44
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C1ECD8 push ecx; mov dword ptr [esp], eax0_2_05C1ECD9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C00CDA push ecx; mov dword ptr [esp], edx0_2_05C00CDD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C1ECA8 push ecx; mov dword ptr [esp], eax0_2_05C1ECA9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C0ACBC push 05C0ACF4h; ret 0_2_05C0ACEC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C28E78 push ecx; mov dword ptr [esp], ecx0_2_05C28E7B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CCC9C4 push ecx; mov dword ptr [esp], edx0_2_05CCC9C9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C0A9D0 push ecx; mov dword ptr [esp], eax0_2_05C0A9D2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C62980 push ecx; mov dword ptr [esp], edx0_2_05C62985
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C009A2 push ecx; mov dword ptr [esp], ecx0_2_05C009A9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C629BC push 05C62A35h; ret 0_2_05C62A2D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile created: C:\Users\user\AppData\Local\Temp\000\json.dllJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile created: C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeFile created: C:\Users\user\AppData\Local\Temp\000\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WSearchJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMemory written: PID: 1176 base: 475E80 value: E9 7F 7C 05 00 Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMemory written: PID: 1176 base: 477C68 value: E9 0B 5E 05 00 Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMemory written: PID: 1176 base: 4958A0 value: E9 67 84 03 00 Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMemory written: PID: 1176 base: 4771F4 value: E9 B7 6B 05 00 Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMemory written: PID: 1176 base: 411C2C value: E9 47 C6 0B 00 Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMemory written: PID: 1176 base: 48C990 value: E9 37 19 04 00 Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeMemory written: PID: 1176 base: 4927DC value: E9 EF BF 03 00 Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: C:\USERS\FLA\DESKTOP\PROCMON.EXE - RACCOURCI.LNK
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: 0C:\USERS\FLA\DESKTOP\PROCMON.EXE - RACCOURCI.LNK
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\000\json.dllJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\000\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAPI coverage: 5.4 %
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe TID: 6820Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFD1B4 FindFirstFileW,FindClose,0_2_05BFD1B4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C12E28 FindFirstFileW,FindClose,0_2_05C12E28
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFCBE8 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_05BFCBE8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFDE88 GetSystemInfo,0_2_05BFDE88
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: *ALLUSERSPROFILE_APPDATA|VMware\logs||*.log
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: VMware
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWFICE6=1 #Izarcllsh
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3389758705.0000000009870000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4OFFICE74=0 #VMware Player0zV
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: 'LocalAppDataPath|Temp\vmware-fla||*.log
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: VMware Player 050620fe75ee0093 05e01ecaf82f7d8e 06059df4b02360af 070b52cf73249257 0a1d19afe5a80f80
            Source: PrivaZer.default.ini.0.drBinary or memory string: OFFICE74=0 #VMware Player
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: LocalAppDataPath|Temp\vmware-fla||*.log
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: Twitter 888f2fa044591eda8Adobe Acrobat 9 Pro Extended 8a461f82e9eb41022ACDSee Photo Manager 2009 8dcca8b24a5e822e$VMware Workstation 8eafbd04ec8631ce
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3373961376.00000000021F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: WNNC_NET_VMWARE
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: ALLUSERSPROFILE_APPDATA|VMware\logs||*.log
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4OFFICE74=0 #VMware Playerr
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4OFFICE74=0 #VMware Player
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: VMware Player
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: VMware.Console
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: VMWare Player
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeAPI call chain: ExitProcess graph end nodegraph_0-45690
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05CB908C IsDebuggerPresent,RaiseException,0_2_05CB908C
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: Shell_TrayWnd
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: Shell_TrayWndTrayNotifyWndU
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: TrayNotifyWndShell_TrayWnd
            Source: SecuriteInfo.com.Heur.7529.3828.exeBinary or memory string: Shell_TrayWndU
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BF7C38 cpuid 0_2_05BF7C38
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_05BFD2EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: EnumSystemLocalesW,0_2_05C1A510
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_05BFC78C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: GetLocaleInfoW,0_2_05C1A328
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: GetLocaleInfoW,0_2_05C16DE4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: GetLocaleInfoW,0_2_05C16E30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05C15288 GetLocalTime,0_2_05C15288
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exeCode function: 0_2_05BFDE9C GetVersion,0_2_05BFDE9C
            Source: SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2101887856.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		2
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Windows Service            		1
            Masquerading            		1
            Credential API Hooking            		1
            System Time Discovery            		Remote Services1
            Credential API Hooking            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Process Injection            		1
            Virtualization/Sandbox Evasion            		LSASS Memory121
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Process Injection            		Security Account Manager1
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture14
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets11
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials3
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            File Deletion            		DCSync45
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Heur.7529.3828.exe3%VirustotalBrowse
            SecuriteInfo.com.Heur.7529.3828.exe3%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\000\json.dll3%ReversingLabs
            C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exe0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\000\sqlite3.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            privazer.com1%VirustotalBrowse
            www.privazer.com1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
            https://sectigo.com/CPS0D0%URL Reputationsafe
            http://www.sqlite.org/copyright.html.0%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
            https://www.privazer.com/my_latest_donation.php?email=0%Avira URL Cloudsafe
            https://gcc.gnu.org/bugs/):0%Avira URL Cloudsafe
            https://privazer.com/new_version_4.0.092.txttxt70%Avira URL Cloudsafe
            http://www.privazer.com/0%Avira URL Cloudsafe
            https://www.privazer.com00%Avira URL Cloudsafe
            https://www.privazer.com/language_alert.php0%Avira URL Cloudsafe
            https://privazer.com/latest_donations.php0%Avira URL Cloudsafe
            https://www.privazer.com/my_latest_donation.php?email=0%VirustotalBrowse
            https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.phpS0%Avira URL Cloudsafe
            http://www.privazer.com/1%VirustotalBrowse
            https://www.privazer.com/order-privazer.htm0%Avira URL Cloudsafe
            http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%Avira URL Cloudsafe
            https://gcc.gnu.org/bugs/):0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.php0%Avira URL Cloudsafe
            https://www.privazer.com/language_alert.php0%VirustotalBrowse
            https://privazer.com/new_version_4.0.092.txt0%Avira URL Cloudsafe
            https://www.privazer.com/download-pro.php0%Avira URL Cloudsafe
            https://www.privazer.com/changelog.php0%Avira URL Cloudsafe
            https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.phpS0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.php?donors=1&left=0%Avira URL Cloudsafe
            https://www.privazer.com/order-privazer.htm0%VirustotalBrowse
            https://privazer.com/latest_donations.php0%VirustotalBrowse
            https://www.privazer.com/support.phpopenU0%Avira URL Cloudsafe
            http://www.privazer.com0%Avira URL Cloudsafe
            https://www.privazer.com/download-pro.php0%VirustotalBrowse
            https://privazer.com/new_version_4.0.092.txt0%VirustotalBrowse
            https://www.privazer.com/support.phpopen0%Avira URL Cloudsafe
            https://sectigo.com/CPS0B0%Avira URL Cloudsafe
            https://www.privazer.com/pay-EUR-GBP.php?donors=1&left=0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.php0%VirustotalBrowse
            http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%VirustotalBrowse
            https://www.privazer.com/new_version_4.0.092.txt0%Avira URL Cloudsafe
            https://www.privazer.com/changelog.php0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.phpopenJRUN_A_CLEANUP_AT_PC_STARTUP_NOTIFY_ME0%Avira URL Cloudsafe
            https://sectigo.com/CPS0B0%VirustotalBrowse
            https://www.privazer.com/latest_donations.php0%Avira URL Cloudsafe
            https://www.privazer.com/support.phpopen0%VirustotalBrowse
            https://www.privazer.com/support.phpopenU0%VirustotalBrowse
            https://www.privazer.com:443/new_version_4.0.092.txt0%Avira URL Cloudsafe
            http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%Avira URL Cloudsafe
            http://www.privazer.com1%VirustotalBrowse
            https://privazer.com/bug-madexcept.php0%Avira URL Cloudsafe
            https://www.privazer.com/new_version_4.0.092.txt0%VirustotalBrowse
            http://privazer.com/downloadupdate.php?changelog0%Avira URL Cloudsafe
            https://www.privazer.com/pay-EUR-GBP.phpopen0%Avira URL Cloudsafe
            http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.phpopenJRUN_A_CLEANUP_AT_PC_STARTUP_NOTIFY_ME0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.phpopenSVW0%Avira URL Cloudsafe
            https://www.privazer.com/language_alert.phpopen0%Avira URL Cloudsafe
            https://www.privazer.com/pay-EUR-GBP.phpopenS0%Avira URL Cloudsafe
            https://www.privazer.com:443/new_version_4.0.092.txt0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.phpopenSVW0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.phpopen0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.phpopenU0%Avira URL Cloudsafe
            https://www.privazer.com/G0%Avira URL Cloudsafe
            https://www.privazer.com/version-difference.php0%Avira URL Cloudsafe
            http://privazer.com/downloadupdate.php?changelog0%VirustotalBrowse
            https://www.privazer.com/language_alert.phpopen0%VirustotalBrowse
            https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=10%Avira URL Cloudsafe
            https://www.privazer.com/pay-EUR-GBP.phpopenS0%VirustotalBrowse
            https://www.privazer.com/PrivaZer.exe0%Avira URL Cloudsafe
            https://www.privazer.com/pay-EUR-GBP.phpopenU0%VirustotalBrowse
            https://www.privazer.com/PrivaZer_Pro.exe0%Avira URL Cloudsafe
            https://www.privazer.com/support.php0%Avira URL Cloudsafe
            https://privazer.com/bug-madexcept.php0%VirustotalBrowse
            https://www.privazer.com/changelog.phpopenU0%Avira URL Cloudsafe
            https://www.privazer.comhttps://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/versio0%Avira URL Cloudsafe
            https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.php30%Avira URL Cloudsafe
            https://privazer.com/latest_donations.phpmsctls_progress320%Avira URL Cloudsafe
            https://www.privazer.com/order-privazer.htmopen0%Avira URL Cloudsafe
            https://www.privazer.com/exit_unicode.php?country=0%Avira URL Cloudsafe
            https://www.privazer.com/latest_donations.php0%VirustotalBrowse
            https://www.privazer.com0%Avira URL Cloudsafe
            https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=1https://www.privazer.com/pay-EUR-GBP.phpS0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            privazer.com
            		94.23.156.117
            		truefalseunknown
            www.privazer.com
            		unknown
            		unknownfalseunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://privazer.com/new_version_4.0.092.txtfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/new_version_4.0.092.txtfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://www.privazer.com/my_latest_donation.php?email=SecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.privazer.com/SecuriteInfo.com.Heur.7529.3828.exefalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://gcc.gnu.org/bugs/):leveldb-viewer.exe.0.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://privazer.com/new_version_4.0.092.txttxt7SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            http://ocsp.sectigo.com0SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            https://www.privazer.com0SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/language_alert.phpSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://privazer.com/latest_donations.phpSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.phpSSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/soap/envelope/SecuriteInfo.com.Heur.7529.3828.exefalse
            • URL Reputation: safe
            		unknown
            https://www.privazer.com/order-privazer.htmSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0rSecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/pay-EUR-GBP.phpSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#SecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.privazer.com/download-pro.phpSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/changelog.phpSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/pay-EUR-GBP.php?donors=1&left=SecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/support.phpopenUSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.privazer.comSecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/support.phpopenSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://sectigo.com/CPS0BSecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://sectigo.com/CPS0DSecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drfalse
            • URL Reputation: safe
            		unknown
            https://www.privazer.com/pay-EUR-GBP.phpopenJRUN_A_CLEANUP_AT_PC_STARTUP_NOTIFY_MESecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/latest_donations.phpSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com:443/new_version_4.0.092.txtSecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.00000000099AF000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#SecuriteInfo.com.Heur.7529.3828.exe, leveldb-viewer.exe.0.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.sqlite.org/copyright.html.SecuriteInfo.com.Heur.7529.3828.exe, sqlite3.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            https://privazer.com/bug-madexcept.phpSecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001FFA000.00000002.00000001.01000000.00000003.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://privazer.com/downloadupdate.php?changelogSecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.0000000001B8D000.00000002.00000001.01000000.00000003.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/pay-EUR-GBP.phpopenSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://sectigo.com/CPS0SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            https://www.privazer.com/pay-EUR-GBP.phpopenSVWSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/language_alert.phpopenSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/pay-EUR-GBP.phpopenSSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/pay-EUR-GBP.phpopenUSecuriteInfo.com.Heur.7529.3828.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/GSecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000002.3391318080.0000000009ADD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sSecuriteInfo.com.Heur.7529.3828.exe, 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.privazer.com/version-difference.phpSecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=1SecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/PrivaZer.exeSecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tSecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            https://www.privazer.com/PrivaZer_Pro.exeSecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ySecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, sqlite3.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            https://www.privazer.com/support.phpSecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#SecuriteInfo.com.Heur.7529.3828.exe, json.dll.0.dr, leveldb-viewer.exe.0.dr, sqlite3.dll.0.drfalse
            • URL Reputation: safe
            		unknown
            https://www.privazer.com/changelog.phpopenUSecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.comhttps://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/versioSecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/download-pro.phpopenhttps://www.privazer.com/version-difference.php3SecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://privazer.com/latest_donations.phpmsctls_progress32SecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/order-privazer.htmopenSecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/exit_unicode.php?country=SecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.comSecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://www.privazer.com/pay-EUR-GBP.php?donors=1&support=1https://www.privazer.com/pay-EUR-GBP.phpSSecuriteInfo.com.Heur.7529.3828.exefalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            94.23.156.117
            		privazer.comFrance
            		16276OVHFRfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1502166
            Start date and time:2024-08-31 11:26:13 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 51s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:SecuriteInfo.com.Heur.7529.3828.exe
            Detection:SUS
            Classification:sus39.rans.evad.winEXE@1/9@2/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): SearchFilterHost.exe, dllhost.exe, SearchProtocolHost.exe, WMIADAP.exe, SIHClient.exe, SearchIndexer.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadFile calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            05:27:07API Interceptor6x Sleep call for process: SecuriteInfo.com.Heur.7529.3828.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            94.23.156.117SecuriteInfo.com.Heur.13935.12847.exeGet hashmaliciousUnknownBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              OVHFRhttp://security-azure.b-cdn.net/Get hashmaliciousUnknownBrowse
              • 193.70.74.252
              http://eedqt.foruskw.com/4lAabg16572cnef1382rzkeufeqnp14569ZZZRNPUIWFYUECM7379HVKJ18607i18Get hashmaliciousUnknownBrowse
              • 54.38.113.3
              Etisalat Summary Bill for the Month of August.exeGet hashmaliciousFormBookBrowse
              • 213.186.33.5
              fnMUjxpqa5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
              • 54.39.19.94
              rBslc_Pymt-Hs.exeGet hashmaliciousRemcos, DBatLoaderBrowse
              • 51.79.72.49
              https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
              • 178.32.197.57
              https://my.manychat.com/r?act=179c825ab8add5f9e8bacb82e520a126&u=7459244230843026&p=108345799024755&h=708b8c96be&fbclid=IwZXh0bgNhZW0CMTAAAR07FD8Q65AMa77uMdYFT9FANMjTbvHV0BrVDR-o7WBQKwVAUtHYk2rnVVU_aem_OFd7GNUGsZzyslAWr711ggGet hashmaliciousUnknownBrowse
              • 5.135.113.252
              OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.emlGet hashmaliciousUnknownBrowse
              • 54.36.150.180
              O239SIeyKA.exeGet hashmaliciousRHADAMANTHYSBrowse
              • 51.75.171.9
              227979659-051450-sanlccjavap0004-13413.exeGet hashmaliciousGuLoaderBrowse
              • 51.210.114.240

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              a0e9f5d64349fb13191bc781f81f42e1IrisMichael263Fiona.lib.exeGet hashmaliciousLummaCBrowse
              • 94.23.156.117
              https://seoservicesiox.firebaseapp.com/&err=b0qmbz0rr7j7jwfxwuge?err=am30dbsswi0Get hashmaliciousHTMLPhisherBrowse
              • 94.23.156.117
              file.exeGet hashmaliciousLummaCBrowse
              • 94.23.156.117
              file.exeGet hashmaliciousLummaCBrowse
              • 94.23.156.117
              file.exeGet hashmaliciousLummaCBrowse
              • 94.23.156.117
              file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
              • 94.23.156.117
              file.exeGet hashmaliciousLummaC, PureLog Stealer, Stealc, VidarBrowse
              • 94.23.156.117
              file.exeGet hashmaliciousLummaC, PureLog Stealer, VidarBrowse
              • 94.23.156.117
              snhNDcl7l4.exeGet hashmaliciousLummaCBrowse
              • 94.23.156.117
              file.exeGet hashmaliciousLummaCBrowse
              • 94.23.156.117

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exeSecuriteInfo.com.Heur.13935.12847.exeGet hashmaliciousUnknownBrowse
                C:\Users\user\AppData\Local\Temp\000\json.dllSecuriteInfo.com.Heur.13935.12847.exeGet hashmaliciousUnknownBrowse
                  C:\Users\user\AppData\Local\Temp\000\sqlite3.dllSecuriteInfo.com.Heur.13935.12847.exeGet hashmaliciousUnknownBrowse

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\000\PrivaZer.default.ini

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):30274
                    Entropy (8bit):3.7726676835319526
                    Encrypted:false
                    SSDEEP:384:wGU/ZMwdLWp9HF406bFkI0rrr6Ng7nBn/Din1Pu3oGnA+QjzeHCEDdko2AlG9MHc:wHBSozsd6mAB3J+SdZ8sazG7jzv
                    MD5:B4CD0BA1301D6D453E79F209144C77E1
                    SHA1:8C1B5D49F314AA9CF8580ECADFEA8300087C5935
                    SHA-256:05A6507895665DDA3DD6C877C3A91C8A25BE7A39CBCC9E4421F492B569D64B90
                    SHA-512:AAC9DB83072782068BF4A7648B687A35523F4A36C11D12E2B65E55CA5E0E8225E81F4CBC091638F40638DAD15C89FB9D85F30008EDB722D63E76AB1C624425CC
                    Malicious:false
                    Reputation:low
                    Preview:..[.S.C.A.N.S.].....S.c.a.n.0.=.1... .#.P.r.e.-.a.n.a.l.y.s.i.s.....S.c.a.n.1.=.1... .#.T.r.a.c.e.s. .i.n. .M.F.T.....S.c.a.n.2.=.1... .#.T.r.a.c.e.s. .i.n. .f.r.e.e. .s.p.a.c.e.....S.c.a.n.3.=.1... .#.T.r.a.c.e.s. .i.n. .U.S.N. .J.o.u.r.n.a.l.....S.c.a.n.4.=.1... .#.T.r.a.c.e.s. .i.n. .$.L.o.g.F.i.l.e.....S.c.a.n.5.=.1... .#.I.n.t.e.r.n.e.t. .b.r.o.w.s.i.n.g.....S.c.a.n.6.=.1... .#.C.o.o.k.i.e.s.,. .S.u.p.e.r./.E.v.e.r.c.o.o.k.i.e.s.....S.c.a.n.7.=.1... .#.I.n.d.e.x...d.a.t. .&. .W.e.b.C.a.c.h.e.....S.c.a.n.8.=.1... .#.M.e.s.s.e.n.g.e.r.s.....S.c.a.n.9.=.1... .#.W.i.n.d.o.w.s. .h.i.s.t.o.r.y.....S.c.a.n.1.0.=.1... .#.R.e.g.i.s.t.r.y.....S.c.a.n.1.1.=.1... .#.I.n.d.e.x.i.n.g.....S.c.a.n.1.2.=.1... .#.M.e.m.o.r.y.....S.c.a.n.1.3.=.1... .#.S.t.a.r.t.,.J.u.m.p.L.i.s.t.s.,.Q.u.i.c.k. .A.c.c.e.s.s.....S.c.a.n.1.4.=.1... .#.S.y.s.t.e.m.....S.c.a.n.1.5.=.1... .#.A.p.p.s. .+. .W.i.n.d.o.w.s. .S.t.o.r.e.....S.c.a.n.1.6.=.1... .#.D.o.w.n.l.o.a.d.e.r.s.,. .b.u.r.n.i.n.g.....S.c.a.n.1.7.=.1... .#.

                    C:\Users\user\AppData\Local\Temp\000\PrivaZer.ini

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:modified
                    Size (bytes):30504
                    Entropy (8bit):3.781059806699538
                    Encrypted:false
                    SSDEEP:384:9U/Zt9wB5NnWyW0j9HpjM3c40vNbzDt0kI0rrr6UENg7SLBnqd/StDin1Pu3oGnC:iByAzVlqmAB3hOldYEkzrf7rzv
                    MD5:671CD2F1FA35D019006FCF0865C4AADB
                    SHA1:D85B5D3FDAFFEE2B4FD904E9DA353299AB35C1C4
                    SHA-256:F98EBA0F9E1466CC091BE1ED7C5AFCBBFF8F837DECF3F1DBB50EDD129C8E2ADC
                    SHA-512:80B9D04D5A65E95D279DBAA2AD19DC10D829563B056CC3CC93D26BE6A53EC8740BA4822D5E9B1E914E64B78C9DB952AC08EBF7B9DB8C2339737D5F133C14BCFC
                    Malicious:false
                    Reputation:low
                    Preview:..[.G.E.N.E.R.A.L.].....l.a.n.g.u.a.g.e.=.e.n.....L.A.S.T._.U.P.D.A.T.E._.D.A.T.E.=.1.3.3.6.9.5.7.0.0.3.7.6.9.2.0.0.0.0.........[.H.E.L.P.].....A.D.V.A.N.C.E.D._.U.S.E.R.=.0.........[.C.O.O.K.I.E.S.].....M.O.D.E.=.s.m.a.r.t... .#.S.m.a.r.t.........[.S.C.A.N.S.].....S.c.a.n.0.=.1... .#.P.r.e.-.a.n.a.l.y.s.i.s.....S.c.a.n.1.=.1... .#.T.r.a.c.e.s. .i.n. .M.F.T.....S.c.a.n.2.=.1... .#.T.r.a.c.e.s. .i.n. .f.r.e.e. .s.p.a.c.e.....S.c.a.n.3.=.1... .#.T.r.a.c.e.s. .i.n. .U.S.N. .J.o.u.r.n.a.l.....S.c.a.n.4.=.1... .#.T.r.a.c.e.s. .i.n. .$.L.o.g.F.i.l.e.....S.c.a.n.5.=.1... .#.I.n.t.e.r.n.e.t. .b.r.o.w.s.i.n.g.....S.c.a.n.6.=.1... .#.C.o.o.k.i.e.s.,. .S.u.p.e.r./.E.v.e.r.c.o.o.k.i.e.s.....S.c.a.n.7.=.1... .#.I.n.d.e.x...d.a.t. .&. .W.e.b.C.a.c.h.e.....S.c.a.n.8.=.1... .#.M.e.s.s.e.n.g.e.r.s.....S.c.a.n.9.=.1... .#.W.i.n.d.o.w.s. .h.i.s.t.o.r.y.....S.c.a.n.1.0.=.1... .#.R.e.g.i.s.t.r.y.....S.c.a.n.1.1.=.1... .#.I.n.d.e.x.i.n.g.....S.c.a.n.1.2.=.1... .#.M.e.m.o.r.y.....S.c.a.n.1.3.=.1... .#.S.t.a.

                    C:\Users\user\AppData\Local\Temp\000\data.ini

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    File Type:Generic INItialization configuration [section_version]
                    Category:dropped
                    Size (bytes):153
                    Entropy (8bit):4.7027960170837115
                    Encrypted:false
                    SSDEEP:3:XOXA224IZoNSiWYR4GRLlJ9AWv+QwZMWRN7y:XgAzZoNrWYbLlzAW2GSNO
                    MD5:45559BDE2C38B6BD413E6B82E4C07939
                    SHA1:358EB05EC90DD1E21D52AFAF8CC0CCA37F05A1CF
                    SHA-256:8B383FBCB145BEAF30F7C0F1B71E0019B6DA9DF4F650613F08B3D7B0C7B9D0D2
                    SHA-512:175780864D083F53860F9BCAEB4F6EACE529E2A08772AB535912322772C62380CF831BFAE0A301A1132E026A8D3380A93156C0C631D76CEE8403280EE697E72F
                    Malicious:false
                    Reputation:low
                    Preview:[para]..scan_trace_per_period=0..soft_version_date=133695700285990000..soft_version=4.0.092..show_pres=0..[section_version]..4.0.092=133695700285830000..

                    C:\Users\user\AppData\Local\Temp\000\json.dll

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2727904
                    Entropy (8bit):6.631826151141906
                    Encrypted:false
                    SSDEEP:49152:VolOHhecHMHzlwvyjNmXLy5PlYTo25hKieciS4i5ppZdkXvy+QiUu8:V6OHhHHMTlgsJHUu8
                    MD5:862EB74EF2D18DC4BBD27BBBF072AC27
                    SHA1:0C8D2E9FC1569E27B99CC4AA222FBC777A75942A
                    SHA-256:BF51CDFC3080F17655056D00504D5AF2FC12441C36ADA627827CE3ECC6743517
                    SHA-512:BA8BA4499132075AB165E5697135BA5E161AC6F6551D17C6C83A3E67B9F96F82AFA2D144816E28E0F86A90A1D8B91076CB077DF3CB8E2E468E2CFDC82BDC9857
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 3%
                    Joe Sandbox View:
                    • Filename: SecuriteInfo.com.Heur.13935.12847.exe, Detection: malicious, Browse
                    Reputation:low
                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................$..`......h.%.......%...@...........................*.......*.............................. &.v.....%.d7....)..l...........P)..O...0&.X[.................................................. .%.......&......................text.....$.......$................. ..`.itext........$.......$............. ..`.data....S....%..T....$.............@....bss.....S...p%......D%..................idata..d7....%..8...D%.............@....didata.......&......|%.............@....edata..v.... &.......%.............@..@.reloc..X[...0&..\....%.............@..B.rsrc....l....)..l....(.............@..@..............*......P).............@..@................................................................................................

                    C:\Users\user\AppData\Local\Temp\000\leveldb-viewer.exe

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2686024
                    Entropy (8bit):6.142547137168233
                    Encrypted:false
                    SSDEEP:24576:DNd+PjszxkN1IH8abnVJns+ydE43kVTMW3esjfDcoHUXU0fb+ddR2GKccSw92jPW:P+PQzxz3yTy+cRGcvwti3fs9eEF
                    MD5:180D2372F0FB3F6431EED893417F1989
                    SHA1:19027132A8620802DD8FB11F99B5CB5E53514F18
                    SHA-256:21097BF047F6EB5A2E2033103AA1DE7825F0087DFF2C0CD254D689213187140E
                    SHA-512:980F5E2E5F684084BBCF905B243F6808EA7C6BA2F4A52EF8C7C56047A6159F1B6CA1179BD4E27C27B9A997EBA2873E98C0DD7EFF4A312B254C4B9AB46A3439CD
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Joe Sandbox View:
                    • Filename: SecuriteInfo.com.Heur.13935.12847.exe, Detection: malicious, Browse
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2^.....a....................................@...................................)....... ......................................................(.x@...................................G..........................h............................text...0...........................`.P`.data...............................@.`..rdata..@...........................@.`@/4............... ..................@.0@.bss....`.............................`..idata..............................@.0..CRT....8...........................@.0..tls......... ......................@.0./14.....P....0......................@.@B/29.....q....@......................@..B/41.......... ... ..................@..B/55......^...@...`..................@..B/67.....8............2..............@.0B/80..................4..............@..B/91..................8..............@..B/102....X....p..........

                    C:\Users\user\AppData\Local\Temp\000\new_version_4.0.092.txt

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    File Type:HTML document, ASCII text
                    Category:dropped
                    Size (bytes):196
                    Entropy (8bit):5.098952451791238
                    Encrypted:false
                    SSDEEP:6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezocKqD:J0+oxBeRmR9etdzRxGez1T
                    MD5:62962DAA1B19BBCC2DB10B7BFD531EA6
                    SHA1:D64BAE91091EDA6A7532EBEC06AA70893B79E1F8
                    SHA-256:80C3FE2AE1062ABF56456F52518BD670F9EC3917B7F85E152B347AC6B6FAF880
                    SHA-512:9002A0475FDB38541E78048709006926655C726E93E823B84E2DBF5B53FD539A5342E7266447D23DB0E5528E27A19961B115B180C94F2272FF124C7E5C8304E7
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.</body></html>.

                    C:\Users\user\AppData\Local\Temp\000\song.mp3

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    File Type:Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 256 kbps, 48 kHz, Stereo
                    Category:dropped
                    Size (bytes):308013
                    Entropy (8bit):7.907513443547922
                    Encrypted:false
                    SSDEEP:6144:jczYv01jGsKdfbnBgJ59ef5MO1u5IHN1wDA2U2qnmFU4ZIUsvanmC6:jU1vtJuf7YuP2UydaC6
                    MD5:40EB8445F9440962DA3F64CBA064EDF9
                    SHA1:D76FB27CAB135CBBC998404F8FC3FC18EE88EB6F
                    SHA-256:8DEFBFFA55515DC2D2451177944C28724D7D7F63FECAF09709EEEBB2239AC041
                    SHA-512:E27BBB5DC0F15AE355FA3FEC8F533A11E578A1B4BD737508F064F68D10EA2821CDDEAC82EADE987A9F5A9320F557D5F31AAADC29E6340C84FB6C9AF8DAE13B1E
                    Malicious:false
                    Reputation:low
                    Preview:ID3......#TSSE.......Lavf58.76.100...............................................Info........................ #%(*-/247:<?ADFIKNQSVX[]`behjmortwy|.......................................................Lavf.................$.@.........{.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................d.....i....... .......... ..4....LAME3.100UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

                    C:\Users\user\AppData\Local\Temp\000\sqlite3.dll

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2505696
                    Entropy (8bit):6.076420802474236
                    Encrypted:false
                    SSDEEP:49152:GY7LE5gv9G8jd4QoOLtwnscD2bJQI/H4YFr15E8:GY7LOgbjdAitAT43H4g5d
                    MD5:EA1FEF49618036CF262389F8B163737C
                    SHA1:AD14B8B3891043BA313934D4C96A67C4F726A0D6
                    SHA-256:E44D60ACDBB9DAEC105432407F6B0EC6C19B9AD60456256788AC5A53DDF0CB70
                    SHA-512:331A6D00DA0D8B47B13E9E04C73D8620D8EE721D353426655B0C30A4AB1DD9C21F7E45D02F90FAFB6339771C4C9622E8BD7E7F59B811696698B9FF963A2ED687
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Joe Sandbox View:
                    • Filename: SecuriteInfo.com.Heur.13935.12847.exe, Detection: malicious, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...q.......q.......q.......q...9...:......./...%.../...5.../...-....t..;....t..;....tf.;....t..;...Rich:...........................PE..L...<=.e...........!...%.4!..........D.......P!..............................`&.....U.&...@..........................>$..6....%.(....0%...............%..O...P%.......$.8.............................$.@.............%..............................text...K3!......4!................. ..`.rdata...%...P!..&...8!.............@..@.data...t~....$..d...^$.............@....idata........%.......$.............@..@.00cfg....... %.......$.............@..@.rsrc........0%.......$.............@..@.reloc.......P%.......$.............@..B........................................................................................................................................................................................................

                    C:\Users\user\Desktop\PrivaZer.ini

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1452
                    Entropy (8bit):3.496489415646173
                    Encrypted:false
                    SSDEEP:24:Q+z/tLqiuZFAn1yu92YXKS/ScljyJW3peGl9NYEjyJWgusRcljGMJplI+19aRayR:rzMisFG1ysJ35VsyXYrusRcljJSy9iI8
                    MD5:9272B8BDA67F013EBECF218C77AD1D5B
                    SHA1:50EBF568B2E6C7205EC8F6D6023829AF6D8EABD9
                    SHA-256:C19D282CBF82AE2E16D1CB014DBED76D11B29EDA4D1357CE13699620F2CC4ED4
                    SHA-512:B3C71738CC240DE0BCD4FC8058315B61BEDFE6123AE2F17CF216910B3B910FE335E9281F6F60060A364C4C7BCDDB3EEA0A2E85E9391120D0FD241AC611685675
                    Malicious:false
                    Preview:..[.G.E.N.E.R.A.L.].....l.a.n.g.u.a.g.e.=.e.n.....L.A.S.T._.U.P.D.A.T.E._.D.A.T.E.=.1.3.3.6.9.5.7.0.0.3.7.6.9.2.0.0.0.0.........[.H.E.L.P.].....A.D.V.A.N.C.E.D._.U.S.E.R.=.0.........[.E.X.P.R.E.S.S. .S.E.T.U.P.].....s.m.a.r.t._.c.o.o.k.i.e.s._.s.e.l.e.c.t.i.o.n.=.s.m.a.r.t.....s.e.s.s.i.o.n._.c.l.e.a.n.u.p.=.1.....n.e.t._.d.a.t.a._.u.s.a.g.e._.c.l.e.a.n.u.p.=.1.....w.e.b.c.a.c.h.e._.c.l.e.a.n.u.p.=.r.e.m.o.v.e. .a.l.l... .#.r.e.m.o.v.e. .a.l.l.....s.h.e.l.l.b.a.g.s._.c.l.e.a.n.u.p.=.1.....s.h.e.l.l.b.a.g.s._.c.l.e.a.n.u.p._.k.e.e.p._.d.e.s.k._.i.c.o.n.s.=.1.....s.h.e.l.l.b.a.g.s._.c.l.e.a.n.u.p._.k.e.e.p._.d.e.f.a.u.l.t.=.1.....s.h.e.l.l.b.a.g.s._.c.l.e.a.n.u.p._.k.e.e.p._.q.u.i.c.k._.a.c.c.e.s.s.=.1.....e.m.p.t.y._.r.e.c.y.c.l.e._.b.i.n._.a.t._.e.a.c.h._.c.l.e.a.n.u.p.=.1.....s.h.o.r.t.c.u.t.s._.c.l.e.a.n.u.p.=.1... .#.I.n.v.a.l.i.d. .s.h.o.r.t.c.u.t.s.....o.f.f.i.c.e._.a.p.p._.c.l.e.a.n.u.p.=.0.....p.h.o.t.o._.c.l.e.a.n.u.p.=.0.....j.u.m.p.l.i.s.t._.q.u.i.c.k._.a.c.c.e.s.s._.c.l.e.a.

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.746513065616034
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.53%
                    • InstallShield setup (43055/19) 0.43%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:SecuriteInfo.com.Heur.7529.3828.exe
                    File size:29'240'904 bytes
                    MD5:6eec575753a25441c6fade4f961195c4
                    SHA1:69ba87145777b46ca4e06c5563ebe77d4394d9e7
                    SHA256:85433453aa370dd4059262be9a53d8cfed907908d7728226462a5fa6a667e921
                    SHA512:64a8e6e952649f48fdaad9f1a13a8d559cc8a773d62bd264682ecf46953c89338d72f0e9f3ec7c4eb95af875a84871e6cd30dce2931dc6570ee13f88f3f8606f
                    SSDEEP:393216:3klccCBUdnAbrIwYJ2UqTqyxn5S+ZofBgq2EOKU2KgYgsMenuGGwRIYKj1SN8Ojg:3wMrdZBEO994GGwRIYKj1SN8OjxF7+aO
                    TLSH:01578B15B340923AC85763F48407B2A95B342DA15B21DAD7398EBE1CFFB52C1AD382D7
                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                    File Icon

                    Icon Hash:89793299cc3eac53

                    Static PE Info

                    General

                    Entrypoint:0xa3b568
                    Entrypoint Section:CODE
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    DLL Characteristics:
                    Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:efaf2bdeb2dca70615e241968bbd75f4

                    Authenticode Signature

                    Signature Valid:true
                    Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                    Signature Validation Error:The operation completed successfully
                    Error Number:0
                    Not Before, Not After
                    • 13/04/2023 02:00:00 13/07/2026 01:59:59
                    Subject Chain
                    • CN=Goversoft LLC, O=Goversoft LLC, S=Delaware, C=US
                    Version:3
                    Thumbprint MD5:827CA6FA6F7D1ED0D0148D0655CB1DDC
                    Thumbprint SHA-1:878CCACA0F4073B68E4D216A9DBC4D9C31B7CD0C
                    Thumbprint SHA-256:21D3CBAC3322E04AF050CFA5C6C3E357C22BC78D743DD0B47628C3BE6FA09BCA
                    Serial:009C91D8D991C56342F031B82DA330CCAF

                    Entrypoint Preview

                    Instruction
                    push ebp
                    mov ebp, esp
                    mov ecx, 00000048h
                    push 00000000h
                    push 00000000h
                    dec ecx
                    jne 00007F1A64816F7Bh
                    push ecx
                    push ebx
                    push esi
                    push edi
                    mov eax, 00A3A978h
                    call 00007F1A641E2ACCh
                    mov edi, dword ptr [00A55DB8h]
                    xor eax, eax
                    push ebp
                    push 00A3DDA7h
                    push dword ptr fs:[eax]
                    mov dword ptr fs:[eax], esp
                    mov ax, 027Fh
                    call 00007F1A641DD6FBh
                    mov eax, dword ptr [00A55698h]
                    mov eax, dword ptr [eax]
                    call 00007F1A6426D457h
                    mov eax, dword ptr [00A55698h]
                    mov eax, dword ptr [eax]
                    mov dword ptr [eax+78h], 0000000Ah
                    mov eax, dword ptr [00A55698h]
                    mov eax, dword ptr [eax]
                    mov dword ptr [eax+74h], 00003A98h
                    mov eax, dword ptr [00A55698h]
                    mov eax, dword ptr [eax]
                    mov edx, 00FFFFFFh
                    call 00007F1A6426DB32h
                    mov eax, dword ptr [00A55698h]
                    mov eax, dword ptr [eax]
                    mov dl, 01h
                    call 00007F1A6426DAD4h
                    mov eax, dword ptr [00A55698h]
                    mov eax, dword ptr [eax]
                    mov edx, 00A3DDC4h
                    mov ecx, dword ptr [eax]
                    call dword ptr [ecx+18h]
                    call 00007F1A647BE366h
                    push 00000001h
                    call 00007F1A641E351Fh
                    lea eax, dword ptr [ebp-14h]
                    call 00007F1A6458C45Bh
                    mov edx, dword ptr [ebp-14h]
                    mov eax, 00A856C8h
                    call 00007F1A641DFD6Ah
                    mov eax, 00A85498h
                    mov edx, 00A3DDD8h
                    call 00007F1A641E75D3h
                    push 00A85498h

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x68c0000x4f.edata
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6860000x50dc.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e30000x152ec39.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x1bdd4000x5a48.rsrc
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x68f0000x53ca4.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x68e0000x18.rdata
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    CODE0x10000x63dce80x63de00fb9c2227a68e33fb1ffcaa57c709316funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    DATA0x63f0000x16fc80x17000e813719402f5156ae425c5359ec8a68fFalse0.5426290760869565data6.182660583779649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    BSS0x6560000x2f6d50x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata0x6860000x50dc0x520066e88bc6c18e47696b18c6aa15e0866eFalse0.3386528201219512data5.004285759438656IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .edata0x68c0000x4f0x20099b8b0699b843abf02895af576562311False0.134765625data0.8585119567054085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                    .tls0x68d0000x25c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rdata0x68e0000x180x200553803eac1acf49fe8c055c9df7de6a3False0.056640625data0.2147325177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                    .reloc0x68f0000x53ca40x53e00d01a7222eab8f6870b4195c5db39bf91False0.6171904107675111data6.769685983367294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                    .rsrc0x6e30000x152ec390x152ee00608c6118221cf4b87ce0b467d9d75ddeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    EXEFILE0x6e80080x299fe0PE32 executable (DLL) (GUI) Intel 80386, for MS Windows0.33449363708496094
                    EXEFILE0x981fe80x28fc48PE32 executable (console) Intel 80386, for MS Windows0.39478302001953125
                    EXEFILE0xc11c300x11fzlib compressed data1.038327526132404
                    EXEFILE0xc11d500x178zlib compressed data1.0292553191489362
                    EXEFILE0xc11ec80x4b32dAudio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1, 256 kbps, 48 kHz, Stereo0.984887001522663
                    EXEFILE0xc5d1f80x263be0PE32 executable (DLL) (GUI) Intel 80386, for MS Windows0.4352073669433594
                    EXEFILE0xec0dd80x12fzlib compressed data1.0363036303630364
                    EXEFILE0xec0f080x12dzlib compressed data1.0365448504983388
                    EXEFILE0xec10380xfe028PE32 executable (GUI) Intel 80386, for MS Windows0.5044491476551868
                    MAD0xfbf0600x14data1.35
                    MAD0xfbf0740x68e0data1.000595947556615
                    TXT0xfc59540x186a1data1.000409995900041
                    TXT0xfddff80x23d9dGNU message catalog (little endian), revision 0.0, 1556 messages, Project-Id-Version: no '\330\247\331\204\331\205\330\255\331\201\331\210\330\270\330\247\330\252 "\330\247\331\204\330\260\331\207\330\247\330\250 \330\245\331\204\331\211"'0.3310429364295686
                    TXT0x1001d980x29402GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\bg\LC_MESSAGES\default.bg.po ( '"O\321\202\320\270\320\264\320\270 \320\262" \320\270\321\201\321\202\320\276\321\200\320\270\321\217'0.3001976775843089
                    TXT0x102b19c0x1fdabGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\ca\LC_MESSAGES\default.ca.po ( 'Historial de "Ves a"'0.35981605671584593
                    TXT0x104af480x1f43fGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\cs\LC_MESSAGES\default.cs.po ( '"Go to" Historie'0.3659370778444984
                    TXT0x106a3880x1e94fGNU message catalog (little endian), revision 0.0, 1556 messages, Project-Id-Version: PrivaZer '"G\303\245 til" historik'0.36404205551519603
                    TXT0x1088cd80x2062dGNU message catalog (little endian), revision 0.0, 1556 messages, Project-Id-Version: a '"Gehe zu"-Historie'0.3516467776831282
                    TXT0x10a93080x2b1b5GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\el\LC_MESSAGES\default.el.po ( '"Go to" \316\231\317\203\317\204\316\277\317\201\316\271\316\272\317\214'0.3004502591113754
                    TXT0x10d44c00x200faGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\es\LC_MESSAGES\default.es.po ( '"Go to" historial'0.3535431991593183
                    TXT0x10f45bc0x20688GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\fr\LC_MESSAGES\default.fr.po ( 'Historique "Aller \303\240"'0.3487916591333695
                    TXT0x1114c440x22a4aGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\he\LC_MESSAGES\default.he.po ( '\327\224\327\231\327\241\327\230\327\225\327\250\327\231\327\231\327\252 "\327\242\327\221\327\225\327\250 \327\220\327\234"'0.33047682137873685
                    TXT0x11376900x1f423GNU message catalog (little endian), revision 0.0, 1556 messages, Project-Id-Version: a '"Idi" Povijest'0.3610419026047565
                    TXT0x1156ab40x20f70GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\hu\LC_MESSAGES\default.hu.po ( '"Ugr\303\241s" az el\305\221zm\303\251nyekhez'0.35527758028202394
                    TXT0x1177a240x20152GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\it\LC_MESSAGES\default.it.po ( 'Cronologia di "Vai A"'0.3528346396773457
                    TXT0x1197b780x23962GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\ja\LC_MESSAGES\default.ja.po ( '"Go to" \343\203\222\343\202\271\343\203\210\343\203\252\343\203\274'0.3276436931436177
                    TXT0x11bb4dc0x1fc86GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\lt\LC_MESSAGES\default.lt.po ( '/"Eiti/"istorija '0.3625462813599422
                    TXT0x11db1640x1ffbaGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\lv\LC_MESSAGES\default.lv.po ( '"P\304\201riet uz" v\304\223sture'0.36029220927924765
                    TXT0x11fb1200x1f7c6GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\nl\LC_MESSAGES\default.nl.po ( '"Go to" Historie'0.3577764682164291
                    TXT0x121a8e80x2005cGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\pl\LC_MESSAGES\default.pl.po ( '"Id\305\272 do" historia'0.35943551584276173
                    TXT0x123a9440x1fbadGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\pt\LC_MESSAGES\default.pt.po ( '"Ir para" hist\303\263rico'0.35616512137883277
                    TXT0x125a4f40x1fda7GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\ro\LC_MESSAGES\default.ro.po ( '"Go to" istoric'0.35926757670286885
                    TXT0x127a29c0x28e14GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\ru\LC_MESSAGES\default.ru.po ( '"\320\237\320\265\321\200\320\265\320\271\321\202\320\270" \320\270\321\201\321\202\320\276\321\200\320\270\321\217'0.3049198538018681
                    TXT0x12a30b00x1f580GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\sk\LC_MESSAGES\default.sk.po ( '"\303\215s\305\245 na" hist\303\263ria'0.36147027666999004
                    TXT0x12c26300x1f5fcGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\sl\LC_MESSAGES\default.sl.po ( '"Pojdi" zgodovina'0.3624599246739503
                    TXT0x12e1c2c0x1f8aaGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\sr\LC_MESSAGES\default.sr.po ( '"Idi na" istoriju'0.3644286886387913
                    TXT0x13014d80x1e44dGNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\fr\LC_MESSAGES\default.fr.po ( '"G\303\245 till" historik'0.36476556891781803
                    TXT0x131f9280x200d3GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\tr\LC_MESSAGES\default.tr.po ( 'ge\303\247mi\305\237e git'0.3583632305782165
                    TXT0x133f9fc0x27a67GNU message catalog (little endian), revision 0.0, 1556 messages, #-#-#-#-# C: \Documents and Settings\Administrateur\Mes documents\privazer\locale_lang_external\uk\LC_MESSAGES\default.uk.po ( '\320\206\321\201\321\202\320\276\321\200\321\226\321\217 "Go to"'0.31083019820574237
                    TXT0x13674640x1da2cGNU message catalog (little endian), revision 0.0, 1556 messages, Project-Id-Version: a '\350\267\263\350\275\254\345\210\227\350\241\250\347\232\204\345\216\206\345\217\262\350\256\260\345\275\225'0.3734965564965235
                    TXT0x1384e900x1da26GNU message catalog (little endian), revision 0.0, 1556 messages, Project-Id-Version: a '\350\267\263\350\275\211\345\210\227\350\241\250\347\232\204\346\255\267\345\217\262\350\250\230\351\214\204'0.3743635794434101
                    TXT0x13a28b80x4a3ASCII text, with CRLF line terminators0.44903117101937656
                    TXT0x13a2d5c0x465ASCII text, with CRLF line terminators0.488
                    RT_CURSOR0x13a31c40x134data0.37012987012987014
                    RT_CURSOR0x13a32f80x134data0.4642857142857143
                    RT_CURSOR0x13a342c0x134data0.4805194805194805
                    RT_CURSOR0x13a35600x134dataEnglishUnited States0.5941558441558441
                    RT_CURSOR0x13a36940x134data0.36038961038961037
                    RT_CURSOR0x13a37c80x134data0.4090909090909091
                    RT_CURSOR0x13a38fc0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                    RT_CURSOR0x13a3a300x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19385026737967914
                    RT_CURSOR0x13a3d1c0x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.18716577540106952
                    RT_CURSOR0x13a40080x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.2179144385026738
                    RT_CURSOR0x13a42f40x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.21122994652406418
                    RT_CURSOR0x13a45e00x134AmigaOS bitmap font "(", fc_YSize 4294967064, 3584 elements, 2nd "\377\270w\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdGermanGermany0.32792207792207795
                    RT_CURSOR0x13a47140x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.32142857142857145
                    RT_CURSOR0x13a48480x134Targa image data 64 x 65536 x 1 +32 "\001"0.3538961038961039
                    RT_CURSOR0x13a497c0x134dataEnglishUnited States0.2564935064935065
                    RT_CURSOR0x13a4ab00x134dataEnglishUnited States0.39935064935064934
                    RT_CURSOR0x13a4be40x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.2694805194805195
                    RT_CURSOR0x13a4d180x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.2305194805194805
                    RT_CURSOR0x13a4e4c0x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.22402597402597402
                    RT_CURSOR0x13a4f800x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.35064935064935066
                    RT_CURSOR0x13a50b40x134Targa image data 64 x 65536 x 1 +32 "\001"GermanGermany0.5292207792207793
                    RT_CURSOR0x13a51e80x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.18983957219251338
                    RT_CURSOR0x13a54d40x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19117647058823528
                    RT_CURSOR0x13a57c00x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19786096256684493
                    RT_CURSOR0x13a5aac0x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.18983957219251338
                    RT_CURSOR0x13a5d980x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19518716577540107
                    RT_CURSOR0x13a60840x2ecTarga image data 64 x 65536 x 1 +32 "\004"GermanGermany0.19518716577540107
                    RT_CURSOR0x13a63700x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                    RT_CURSOR0x13a64a40x134data0.38311688311688313
                    RT_BITMAP0x13a65d80xe8Device independent bitmap graphic, 8 x 8 x 24, image size 192EnglishUnited States0.4353448275862069
                    RT_BITMAP0x13a66c00xe8Device independent bitmap graphic, 8 x 8 x 24, image size 192EnglishUnited States0.22413793103448276
                    RT_BITMAP0x13a67a80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                    RT_BITMAP0x13a69780x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
                    RT_BITMAP0x13a6b5c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                    RT_BITMAP0x13a6d2c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
                    RT_BITMAP0x13a6efc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
                    RT_BITMAP0x13a70cc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
                    RT_BITMAP0x13a729c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                    RT_BITMAP0x13a746c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                    RT_BITMAP0x13a763c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                    RT_BITMAP0x13a780c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                    RT_BITMAP0x13a79dc0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.3577586206896552
                    RT_BITMAP0x13a7ac40xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.30603448275862066
                    RT_BITMAP0x13a7bac0x4d8Device independent bitmap graphic, 20 x 20 x 24, image size 1200, resolution 2834 x 2834 px/mGermanGermany0.15564516129032258
                    RT_BITMAP0x13a80840x4d8Device independent bitmap graphic, 20 x 20 x 24, image size 1200, resolution 2834 x 2834 px/m0.19274193548387097
                    RT_BITMAP0x13a855c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128GermanGermany0.4396551724137931
                    RT_BITMAP0x13a86440x5ccDevice independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 3779 x 3779 px/m0.4865229110512129
                    RT_BITMAP0x13a8c100x5ccDevice independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 3779 x 3779 px/m0.601078167115903
                    RT_BITMAP0x13a91dc0x5ccDevice independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 2834 x 2834 px/m0.5579514824797843
                    RT_BITMAP0x13a97a80x5ccDevice independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 3779 x 3779 px/m0.477088948787062
                    RT_BITMAP0x13a9d740x5ccDevice independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 3779 x 3779 px/m0.5990566037735849
                    RT_BITMAP0x13aa3400x5ccDevice independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 2834 x 2834 px/m0.5559299191374663
                    RT_BITMAP0x13aa90c0xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.5208333333333334
                    RT_BITMAP0x13aa9cc0x50Device independent bitmap graphic, 8 x 8 x 1, image size 32EnglishUnited States0.55
                    RT_BITMAP0x13aaa1c0xd8Device independent bitmap graphic, 14 x 14 x 4, image size 1120.4074074074074074
                    RT_BITMAP0x13aaaf40xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.42857142857142855
                    RT_BITMAP0x13aabd40x128Device independent bitmap graphic, 21 x 16 x 4, image size 1920.39864864864864863
                    RT_BITMAP0x13aacfc0x128Device independent bitmap graphic, 19 x 16 x 4, image size 1920.3885135135135135
                    RT_BITMAP0x13aae240x128Device independent bitmap graphic, 21 x 16 x 4, image size 1920.3885135135135135
                    RT_BITMAP0x13aaf4c0xe8Device independent bitmap graphic, 13 x 16 x 4, image size 1280.36637931034482757
                    RT_BITMAP0x13ab0340x128Device independent bitmap graphic, 17 x 16 x 4, image size 1920.3614864864864865
                    RT_BITMAP0x13ab15c0x128Device independent bitmap graphic, 20 x 16 x 4, image size 1920.3783783783783784
                    RT_BITMAP0x13ab2840xd0Device independent bitmap graphic, 13 x 13 x 4, image size 1040.49038461538461536
                    RT_BITMAP0x13ab3540x128Device independent bitmap graphic, 21 x 16 x 4, image size 1920.3716216216216216
                    RT_BITMAP0x13ab47c0x128Device independent bitmap graphic, 17 x 16 x 4, image size 1920.2905405405405405
                    RT_BITMAP0x13ab5a40x16cDevice independent bitmap graphic, 9 x 9 x 32, image size 324EnglishUnited States0.37637362637362637
                    RT_BITMAP0x13ab7100xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.4955357142857143
                    RT_BITMAP0x13ab7f00x5cDevice independent bitmap graphic, 6 x 11 x 1, image size 440.391304347826087
                    RT_BITMAP0x13ab84c0x5cDevice independent bitmap graphic, 6 x 11 x 1, image size 440.532608695652174
                    RT_BITMAP0x13ab8a80x5cDevice independent bitmap graphic, 6 x 11 x 1, image size 440.4782608695652174
                    RT_BITMAP0x13ab9040x5cDevice independent bitmap graphic, 6 x 11 x 1, image size 440.5543478260869565
                    RT_BITMAP0x13ab9600x5cDevice independent bitmap graphic, 6 x 11 x 1, image size 440.4673913043478261
                    RT_BITMAP0x13ab9bc0x138Device independent bitmap graphic, 28 x 13 x 4, image size 2080.41025641025641024
                    RT_BITMAP0x13abaf40x138Device independent bitmap graphic, 28 x 13 x 4, image size 2080.27564102564102566
                    RT_BITMAP0x13abc2c0x138Device independent bitmap graphic, 28 x 13 x 4, image size 2080.3685897435897436
                    RT_BITMAP0x13abd640x138Device independent bitmap graphic, 28 x 13 x 4, image size 2080.3685897435897436
                    RT_BITMAP0x13abe9c0x138Device independent bitmap graphic, 28 x 13 x 4, image size 2080.34294871794871795
                    RT_BITMAP0x13abfd40x138Device independent bitmap graphic, 28 x 13 x 4, image size 2080.3717948717948718
                    RT_BITMAP0x13ac10c0x104Device independent bitmap graphic, 20 x 13 x 4, image size 1560.5038461538461538
                    RT_BITMAP0x13ac2100x138Device independent bitmap graphic, 28 x 13 x 4, image size 2080.4326923076923077
                    RT_BITMAP0x13ac3480x104Device independent bitmap graphic, 20 x 13 x 4, image size 1560.5153846153846153
                    RT_BITMAP0x13ac44c0x138Device independent bitmap graphic, 28 x 13 x 4, image size 2080.46474358974358976
                    RT_BITMAP0x13ac5840xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.3577586206896552
                    RT_BITMAP0x13ac66c0x328Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 2834 x 2834 px/m0.06188118811881188
                    RT_BITMAP0x13ac9940x528Device independent bitmap graphic, 16 x 16 x 8, image size 256GermanGermany0.38257575757575757
                    RT_BITMAP0x13acebc0x128Device independent bitmap graphic, 21 x 16 x 4, image size 1920.38175675675675674
                    RT_BITMAP0x13acfe40x128Device independent bitmap graphic, 19 x 16 x 4, image size 1920.3783783783783784
                    RT_BITMAP0x13ad10c0x128Device independent bitmap graphic, 21 x 16 x 4, image size 1920.3783783783783784
                    RT_BITMAP0x13ad2340xe8Device independent bitmap graphic, 12 x 16 x 4, image size 1280.3620689655172414
                    RT_BITMAP0x13ad31c0x128Device independent bitmap graphic, 17 x 16 x 4, image size 1920.3581081081081081
                    RT_BITMAP0x13ad4440x128Device independent bitmap graphic, 20 x 16 x 4, image size 1920.375
                    RT_BITMAP0x13ad56c0xd0Device independent bitmap graphic, 13 x 13 x 4, image size 1040.47115384615384615
                    RT_BITMAP0x13ad63c0x128Device independent bitmap graphic, 21 x 16 x 4, image size 1920.36824324324324326
                    RT_BITMAP0x13ad7640x128Device independent bitmap graphic, 17 x 16 x 4, image size 1920.28716216216216217
                    RT_BITMAP0x13ad88c0x128Device independent bitmap graphic, 21 x 16 x 4, image size 1920.3885135135135135
                    RT_BITMAP0x13ad9b40x128Device independent bitmap graphic, 19 x 16 x 4, image size 1920.375
                    RT_BITMAP0x13adadc0x128Device independent bitmap graphic, 21 x 16 x 4, image size 1920.375
                    RT_BITMAP0x13adc040xe8Device independent bitmap graphic, 13 x 16 x 4, image size 1280.36637931034482757
                    RT_BITMAP0x13adcec0x128Device independent bitmap graphic, 17 x 16 x 4, image size 1920.35135135135135137
                    RT_BITMAP0x13ade140x128Device independent bitmap graphic, 20 x 16 x 4, image size 1920.36486486486486486
                    RT_BITMAP0x13adf3c0xd0Device independent bitmap graphic, 13 x 13 x 4, image size 1040.47115384615384615
                    RT_BITMAP0x13ae00c0x128Device independent bitmap graphic, 21 x 16 x 4, image size 1920.3581081081081081
                    RT_BITMAP0x13ae1340x128Device independent bitmap graphic, 17 x 16 x 4, image size 1920.28716216216216217
                    RT_BITMAP0x13ae25c0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.38392857142857145
                    RT_BITMAP0x13ae33c0x16cDevice independent bitmap graphic, 9 x 9 x 32, image size 324EnglishUnited States0.3956043956043956
                    RT_BITMAP0x13ae4a80xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.4947916666666667
                    RT_BITMAP0x13ae5680xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.484375
                    RT_BITMAP0x13ae6280xd0Device independent bitmap graphic, 8 x 7 x 24, image size 168EnglishUnited States0.22115384615384615
                    RT_BITMAP0x13ae6f80xd0Device independent bitmap graphic, 8 x 7 x 24, image size 168EnglishUnited States0.23076923076923078
                    RT_BITMAP0x13ae7c80x230Device independent bitmap graphic, 13 x 13 x 24, image size 520, resolution 2834 x 2834 px/m0.07857142857142857
                    RT_BITMAP0x13ae9f80x328Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 2834 x 2834 px/m0.05198019801980198
                    RT_BITMAP0x13aed200x4d8Device independent bitmap graphic, 20 x 20 x 24, image size 1200, resolution 2834 x 2834 px/m0.037096774193548385
                    RT_BITMAP0x13af1f80x6a0Device independent bitmap graphic, 23 x 23 x 24, image size 1656, resolution 2834 x 2834 px/m0.0330188679245283
                    RT_BITMAP0x13af8980x848Device independent bitmap graphic, 26 x 26 x 24, image size 2080, resolution 2834 x 2834 px/m0.027830188679245284
                    RT_BITMAP0x13b00e00xa20Device independent bitmap graphic, 29 x 29 x 24, image size 2552, resolution 2834 x 2834 px/m0.02353395061728395
                    RT_BITMAP0x13b0b000xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.34051724137931033
                    RT_BITMAP0x13b0be80x230Device independent bitmap graphic, 13 x 13 x 24, image size 520, resolution 2834 x 2834 px/m0.3107142857142857
                    RT_BITMAP0x13b0e180x328Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 2834 x 2834 px/m0.2264851485148515
                    RT_BITMAP0x13b11400x4d8Device independent bitmap graphic, 20 x 20 x 24, image size 1200, resolution 2834 x 2834 px/m0.17661290322580644
                    RT_BITMAP0x13b16180x6a0Device independent bitmap graphic, 23 x 23 x 24, image size 1656, resolution 2834 x 2834 px/m0.1474056603773585
                    RT_BITMAP0x13b1cb80x848Device independent bitmap graphic, 26 x 26 x 24, image size 2080, resolution 2834 x 2834 px/m0.125
                    RT_BITMAP0x13b25000xa20Device independent bitmap graphic, 29 x 29 x 24, image size 2552, resolution 2834 x 2834 px/m0.1246141975308642
                    RT_BITMAP0x13b2f200xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128GermanGermany0.34913793103448276
                    RT_BITMAP0x13b30080xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128GermanGermany0.29310344827586204
                    RT_BITMAP0x13b30f00xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.42410714285714285
                    RT_BITMAP0x13b31d00x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                    RT_BITMAP0x13b33a00x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
                    RT_BITMAP0x13b35840x74Device independent bitmap graphic, 5 x 3 x 4, image size 12GermanGermany0.5258620689655172
                    RT_BITMAP0x13b35f80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                    RT_BITMAP0x13b37c80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
                    RT_BITMAP0x13b39980x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
                    RT_BITMAP0x13b3b680x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
                    RT_BITMAP0x13b3d380x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                    RT_BITMAP0x13b3f080x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                    RT_BITMAP0x13b40d80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                    RT_BITMAP0x13b42a80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                    RT_BITMAP0x13b44780xd8Device independent bitmap graphic, 14 x 14 x 4, image size 1120.38425925925925924
                    RT_BITMAP0x13b45500x1028Device independent bitmap graphic, 32 x 32 x 32, image size 40960.41392649903288203
                    RT_BITMAP0x13b55780x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.2161654135338346
                    RT_BITMAP0x13b59a00x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.5018796992481203
                    RT_BITMAP0x13b5dc80x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.3167293233082707
                    RT_BITMAP0x13b61f00x1028Device independent bitmap graphic, 32 x 32 x 32, image size 40960.5548839458413927
                    RT_BITMAP0x13b72180x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.5582706766917294
                    RT_BITMAP0x13b76400x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.48402255639097747
                    RT_BITMAP0x13b7a680x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.5469924812030075
                    RT_BITMAP0x13b7e900x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.4906015037593985
                    RT_BITMAP0x13b82b80x1028Device independent bitmap graphic, 32 x 32 x 32, image size 40960.3034332688588008
                    RT_BITMAP0x13b92e00x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.48872180451127817
                    RT_BITMAP0x13b97080xd8Device independent bitmap graphic, 14 x 14 x 4, image size 1120.35185185185185186
                    RT_BITMAP0x13b97e00x1d8Device independent bitmap graphic, 12 x 12 x 24, image size 432EnglishUnited States0.2966101694915254
                    RT_BITMAP0x13b99b80xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.5104166666666666
                    RT_BITMAP0x13b9a780x1b4Device independent bitmap graphic, 11 x 11 x 24, image size 396EnglishUnited States0.1628440366972477
                    RT_BITMAP0x13b9c2c0xd8Device independent bitmap graphic, 14 x 14 x 4, image size 1120.5509259259259259
                    RT_BITMAP0x13b9d040xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.5
                    RT_BITMAP0x13b9de40xd8Device independent bitmap graphic, 14 x 14 x 4, image size 1120.4074074074074074
                    RT_BITMAP0x13b9ebc0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
                    RT_BITMAP0x13b9fa40xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.4895833333333333
                    RT_BITMAP0x13ba0640x54Device independent bitmap graphic, 5 x 9 x 1, image size 36EnglishUnited States0.5714285714285714
                    RT_BITMAP0x13ba0b80xdcDevice independent bitmap graphic, 19 x 3 x 24, image size 180EnglishUnited States0.2681818181818182
                    RT_BITMAP0x13ba1940xdcDevice independent bitmap graphic, 19 x 3 x 24, image size 180EnglishUnited States0.2681818181818182
                    RT_BITMAP0x13ba2700xdcDevice independent bitmap graphic, 19 x 3 x 24, image size 180EnglishUnited States0.2681818181818182
                    RT_BITMAP0x13ba34c0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.3017241379310345
                    RT_BITMAP0x13ba4340x188Device independent bitmap graphic, 24 x 24 x 4, image size 288GermanGermany0.3010204081632653
                    RT_BITMAP0x13ba5bc0x188Device independent bitmap graphic, 24 x 24 x 4, image size 288GermanGermany0.38010204081632654
                    RT_BITMAP0x13ba7440x188Device independent bitmap graphic, 24 x 24 x 4, image size 288, 16 important colorsGermanGermany0.3647959183673469
                    RT_BITMAP0x13ba8cc0xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors0.3794642857142857
                    RT_BITMAP0x13ba9ac0x1ccDevice independent bitmap graphic, 3 x 35 x 24, image size 420EnglishUnited States0.11956521739130435
                    RT_BITMAP0x13bab780xce8Device independent bitmap graphic, 400 x 16 x 4, image size 32000.1089588377723971
                    RT_BITMAP0x13bb8600xce8Device independent bitmap graphic, 400 x 16 x 4, image size 32000.10714285714285714
                    RT_BITMAP0x13bc5480xce8Device independent bitmap graphic, 400 x 16 x 4, image size 32000.0950363196125908
                    RT_BITMAP0x13bd2300x268Device independent bitmap graphic, 32 x 32 x 4, image size 5120.21266233766233766
                    RT_BITMAP0x13bd4980x268Device independent bitmap graphic, 32 x 32 x 4, image size 5120.17207792207792208
                    RT_BITMAP0x13bd7000x268Device independent bitmap graphic, 32 x 32 x 4, image size 5120.1672077922077922
                    RT_BITMAP0x13bd9680xce8Device independent bitmap graphic, 400 x 16 x 4, image size 32000.11955205811138014
                    RT_BITMAP0x13be6500xce8Device independent bitmap graphic, 400 x 16 x 4, image size 32000.11561743341404358
                    RT_BITMAP0x13bf3380xd28Device independent bitmap graphic, 144 x 16 x 8, image size 23040.23634204275534443
                    RT_BITMAP0x13c00600x4b2aDevice independent bitmap graphic, 400 x 16 x 24, image size 0, resolution 2834 x 2834 px/m0.2749194470429269
                    RT_BITMAP0x13c4b8c0x126Device independent bitmap graphic, 9 x 9 x 24, image size 0, resolution 2834 x 2834 px/m0.5850340136054422
                    RT_BITMAP0x13c4cb40x126Device independent bitmap graphic, 9 x 9 x 24, image size 0, resolution 2834 x 2834 px/m0.5918367346938775
                    RT_BITMAP0x13c4ddc0x328Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 2834 x 2834 px/m0.06188118811881188
                    RT_ICON0x13c51040x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.524822695035461
                    RT_ICON0x13c556c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.4377049180327869
                    RT_ICON0x13c5ef40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3562382739212008
                    RT_ICON0x13c6f9c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2884854771784232
                    RT_ICON0x13c95440x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.23901747756258857
                    RT_ICON0x13cd76c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.19912760142947236
                    RT_ICON0x13d6c140x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.1601206672187389
                    RT_ICON0x13e743c0x6594PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9916166743577911
                    RT_DIALOG0x13ed9d00x52data0.7682926829268293
                    RT_STRING0x13eda240x764data0.3192389006342495
                    RT_STRING0x13ee1880x8f0data0.27972027972027974
                    RT_STRING0x13eea780x520data0.34375
                    RT_STRING0x13eef980x3e0data0.3629032258064516
                    RT_STRING0x13ef3780x5c0data0.3845108695652174
                    RT_STRING0x13ef9380x210data0.4015151515151515
                    RT_STRING0x13efb480x2c0data0.3877840909090909
                    RT_STRING0x13efe080x344data0.4461722488038278
                    RT_STRING0x13f014c0x460data0.41517857142857145
                    RT_STRING0x13f05ac0x2acdata0.4137426900584795
                    RT_STRING0x13f08580x360data0.4131944444444444
                    RT_STRING0x13f0bb80x4c0data0.3125
                    RT_STRING0x13f10780x510data0.2708333333333333
                    RT_STRING0x13f15880x400data0.36328125
                    RT_STRING0x13f19880x1d4data0.3952991452991453
                    RT_STRING0x13f1b5c0x180data0.5130208333333334
                    RT_STRING0x13f1cdc0x1e8data0.5061475409836066
                    RT_STRING0x13f1ec40x3d8data0.41565040650406504
                    RT_STRING0x13f229c0x1d4data0.5256410256410257
                    RT_STRING0x13f24700xe8data0.5905172413793104
                    RT_STRING0x13f25580x1ccdata0.49130434782608695
                    RT_STRING0x13f27240x27cdata0.46855345911949686
                    RT_STRING0x13f29a00x490data0.3792808219178082
                    RT_STRING0x13f2e300x388data0.39048672566371684
                    RT_STRING0x13f31b80x3bcdata0.3817991631799163
                    RT_STRING0x13f35740x3b8data0.33718487394957986
                    RT_STRING0x13f392c0x460data0.3669642857142857
                    RT_STRING0x13f3d8c0x190data0.475
                    RT_STRING0x13f3f1c0xecdata0.5508474576271186
                    RT_STRING0x13f40080x20cdata0.5
                    RT_STRING0x13f42140x454data0.3231046931407942
                    RT_STRING0x13f46680x3a0data0.3728448275862069
                    RT_STRING0x13f4a080x2fcdata0.36387434554973824
                    RT_STRING0x13f4d040x368data0.30160550458715596
                    RT_RCDATA0x13f506c0x10data1.5
                    RT_RCDATA0x13f507c0x1488data0.5551750380517504
                    RT_RCDATA0x13f65040x4cdDelphi compiled form 'TEmbedForm'0.5467860048820179
                    RT_RCDATA0x13f69d40x24cdcaDelphi compiled form 'TForm1'0.1662740707397461
                    RT_RCDATA0x16437a00x887caDelphi compiled form 'TForm2'0.1582774349342635
                    RT_RCDATA0x16cbf6c0xc2a2dDelphi compiled form 'TForm21'0.14434372056209696
                    RT_RCDATA0x178e99c0xb61Delphi compiled form 'TForm27'0.544799176107106
                    RT_RCDATA0x178f5000x6dcDelphi compiled form 'TForm28'0.3582004555808656
                    RT_RCDATA0x178fbdc0x1e29Delphi compiled form 'TForm3'0.14557699779821268
                    RT_RCDATA0x1791a080x411c58Delphi compiled form 'TForm4'0.16619396209716797
                    RT_RCDATA0x1ba36600x3827Delphi compiled form 'TForm5'0.8648347826086956
                    RT_RCDATA0x1ba6e880x1b2bDelphi compiled form 'TForm50'0.8369518332135154
                    RT_RCDATA0x1ba89b40xb0fDelphi compiled form 'TForm500'0.5969622041681385
                    RT_RCDATA0x1ba94c40x7a3Delphi compiled form 'TForm6'0.4030690537084399
                    RT_RCDATA0x1ba9c680xbe6Delphi compiled form 'TForm61'0.37458962573867366
                    RT_RCDATA0x1baa8500x2240cDelphi compiled form 'TForm7'0.07957947255880257
                    RT_RCDATA0x1bccc5c0x317bDelphi compiled form 'TForm8'0.6460882608352412
                    RT_RCDATA0x1bcfdd80x5a97Delphi compiled form 'TFrame1'0.17493855374929929
                    RT_RCDATA0x1bd58700x39586Delphi compiled form 'TFrame8'0.2620845857139208
                    RT_RCDATA0x1c0edf80x494Delphi compiled form 'TLoginDialog'0.4931740614334471
                    RT_RCDATA0x1c0f28c0xc07Delphi compiled form 'TMadExcept'0.47385514777525173
                    RT_RCDATA0x1c0fe940x34eDelphi compiled form 'TMEContactForm'0.43498817966903075
                    RT_RCDATA0x1c101e40x21bDelphi compiled form 'TMEContactForm2'0.549165120593692
                    RT_RCDATA0x1c104000x228Delphi compiled form 'TMEDetailsForm'0.5416666666666666
                    RT_RCDATA0x1c106280x2a3Delphi compiled form 'TMEScrShotForm'0.5333333333333333
                    RT_RCDATA0x1c108cc0x3c4Delphi compiled form 'TPasswordDialog'0.4678423236514523
                    RT_GROUP_CURSOR0x1c10c900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                    RT_GROUP_CURSOR0x1c10ca40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                    RT_GROUP_CURSOR0x1c10cb80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                    RT_GROUP_CURSOR0x1c10ccc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                    RT_GROUP_CURSOR0x1c10ce00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                    RT_GROUP_CURSOR0x1c10cf40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                    RT_GROUP_CURSOR0x1c10d080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                    RT_GROUP_CURSOR0x1c10d1c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                    RT_GROUP_CURSOR0x1c10d300x14data1.4
                    RT_GROUP_CURSOR0x1c10d440x14data1.4
                    RT_GROUP_CURSOR0x1c10d580x14data1.4
                    RT_GROUP_CURSOR0x1c10d6c0x14data1.4
                    RT_GROUP_CURSOR0x1c10d800x14data1.4
                    RT_GROUP_CURSOR0x1c10d940x14data1.4
                    RT_GROUP_CURSOR0x1c10da80x14data1.4
                    RT_GROUP_CURSOR0x1c10dbc0x14data1.4
                    RT_GROUP_CURSOR0x1c10dd00x14data1.4
                    RT_GROUP_CURSOR0x1c10de40x14data1.4
                    RT_GROUP_CURSOR0x1c10df80x14data1.4
                    RT_GROUP_CURSOR0x1c10e0c0x14data1.4
                    RT_GROUP_CURSOR0x1c10e200x14Lotus unknown worksheet or configuration, revision 0x11.25
                    RT_GROUP_CURSOR0x1c10e340x14Lotus unknown worksheet or configuration, revision 0x11.3
                    RT_GROUP_CURSOR0x1c10e480x14Lotus unknown worksheet or configuration, revision 0x11.25
                    RT_GROUP_CURSOR0x1c10e5c0x14Lotus unknown worksheet or configuration, revision 0x11.3
                    RT_GROUP_CURSOR0x1c10e700x14Lotus unknown worksheet or configuration, revision 0x11.3
                    RT_GROUP_CURSOR0x1c10e840x14Lotus unknown worksheet or configuration, revision 0x11.3
                    RT_GROUP_CURSOR0x1c10e980x14Lotus unknown worksheet or configuration, revision 0x11.3
                    RT_GROUP_CURSOR0x1c10eac0x14Lotus unknown worksheet or configuration, revision 0x11.3
                    RT_GROUP_ICON0x1c10ec00x76dataEnglishUnited States0.7372881355932204
                    RT_VERSION0x1c10f380x304dataFrenchFrance0.4533678756476684
                    RT_MANIFEST0x1c1123c0x9fdXML 1.0 document, ASCII text, with CRLF line terminators0.3793508017207665

                    Imports

                    DLLImport
                    kernel32.dllLeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                    user32.dllLoadStringA, MessageBoxA, CharNextA
                    advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                    oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                    kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                    advapi32.dllSetSecurityDescriptorDacl, RegSetValueExW, RegSetValueExA, RegQueryValueExW, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExW, RegOpenKeyExA, RegFlushKey, RegEnumValueA, RegEnumKeyA, RegEnumKeyExA, RegDeleteValueW, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExW, RegCreateKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, LookupPrivilegeNameA, LookupPrivilegeDisplayNameA, LookupAccountSidA, LookupAccountNameA, IsValidSid, InitializeSecurityDescriptor, InitializeAcl, GetUserNameW, GetUserNameA, GetTokenInformation, GetSecurityDescriptorControl, GetLengthSid, GetAclInformation, GetAce, FreeSid, EqualSid, DeleteAce, AllocateAndInitializeSid, AdjustTokenPrivileges, AddAce, AddAccessAllowedAce
                    kernel32.dlllstrlenW, lstrlenA, lstrcpyA, lstrcmpiW, lstrcmpW, lstrcmpA, WriteProcessMemory, WritePrivateProfileStringA, WriteFile, WinExec, WideCharToMultiByte, WaitNamedPipeA, WaitForSingleObject, WaitForMultipleObjectsEx, WaitForMultipleObjects, VirtualQueryEx, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualFree, VirtualAlloc, VerLanguageNameA, UnmapViewOfFile, TryEnterCriticalSection, TerminateThread, TerminateProcess, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, SuspendThread, Sleep, SizeofResource, SetUnhandledExceptionFilter, SetThreadPriority, SetThreadLocale, SetThreadContext, SetThreadAffinityMask, SetPriorityClass, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, SearchPathA, ResumeThread, ResetEvent, RemoveDirectoryW, RemoveDirectoryA, ReleaseMutex, ReadProcessMemory, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceA, PulseEvent, PeekNamedPipe, OutputDebugStringA, OpenProcess, OpenFileMappingA, OpenEventA, MultiByteToWideChar, MulDiv, MoveFileExA, MoveFileW, MoveFileA, MapViewOfFile, LockResource, LocalSize, LocalFree, LocalFileTimeToFileTime, LocalAlloc, LoadResource, LoadLibraryExA, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, IsValidLocale, IsBadReadPtr, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVolumeInformationW, GetVolumeInformationA, GetVersionExW, GetVersionExA, GetVersion, GetUserDefaultLangID, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetThreadContext, GetTempPathW, GetTempPathA, GetSystemTimeAsFileTime, GetSystemTime, GetSystemInfo, GetSystemDirectoryW, GetSystemDirectoryA, GetSystemDefaultLangID, GetSystemDefaultLCID, GetStringTypeExW, GetStringTypeExA, GetStdHandle, GetStartupInfoA, GetShortPathNameA, GetProcessWorkingSetSize, GetProcessVersion, GetProcessTimes, GetProcessAffinityMask, GetProcAddress, GetPrivateProfileStringA, GetPriorityClass, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameW, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoW, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameW, GetFullPathNameA, GetFileTime, GetFileSize, GetFileAttributesExW, GetFileAttributesExA, GetFileAttributesW, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetCurrentDirectoryA, GetComputerNameW, GetComputerNameA, GetCommandLineW, GetCommandLineA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageW, FormatMessageA, FlushViewOfFile, FlushInstructionCache, FlushFileBuffers, FindResourceW, FindResourceA, FindNextFileW, FindNextFileA, FindNextChangeNotification, FindFirstFileW, FindFirstFileA, FindFirstChangeNotificationA, FindCloseChangeNotification, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsW, ExpandEnvironmentStringsA, ExitThread, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DuplicateHandle, DosDateTimeToFileTime, DisconnectNamedPipe, DeviceIoControl, DeleteFileW, DeleteFileA, DeleteCriticalSection, DebugBreak, CreateThread, CreateSemaphoreA, CreateRemoteThread, CreateProcessW, CreateProcessA, CreatePipe, CreateNamedPipeA, CreateMutexA, CreateFileMappingW, CreateFileMappingA, CreateFileW, CreateFileA, CreateEventA, CreateDirectoryW, CreateDirectoryA, CopyFileW, CopyFileA, ConnectNamedPipe, CompareStringW, CompareStringA, CloseHandle, CallNamedPipeA, Beep
                    mpr.dllWNetOpenEnumA, WNetGetUniversalNameA, WNetGetConnectionA, WNetEnumResourceA, WNetCloseEnum
                    version.dllVerQueryValueW, VerQueryValueA, GetFileVersionInfoSizeW, GetFileVersionInfoSizeA, GetFileVersionInfoW, GetFileVersionInfoA
                    gdi32.dllUnrealizeObject, TextOutW, TextOutA, StretchDIBits, StretchBlt, StartPage, StartDocW, StartDocA, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetPaletteEntries, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PlayEnhMetaFile, PatBlt, OffsetWindowOrgEx, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsA, GetTextFaceA, GetTextExtentPointW, GetTextExtentPointA, GetTextExtentPoint32W, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetNearestPaletteIndex, GetNearestColor, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutW, ExtTextOutA, ExtCreatePen, ExcludeClipRect, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateFontA, CreateEnhMetaFileA, CreateEllipticRgn, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, CloseEnhMetaFile, BitBlt
                    user32.dllCreateWindowExW, CreateWindowExA, wvsprintfA, WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, ValidateRect, UpdateWindow, UnregisterClassW, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExW, SetWindowsHookExA, SetWindowTextW, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetParent, SetMenuItemInfoW, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageTimeoutA, SendMessageCallbackA, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterDeviceNotificationA, RegisterClipboardFormatA, RegisterClassExA, RegisterClassW, RegisterClassA, RedrawWindow, PtInRect, PostThreadMessageA, PostQuitMessage, PostMessageW, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharW, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxW, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyW, MapVirtualKeyA, LoadStringW, LoadStringA, LoadKeyboardLayoutA, LoadImageW, LoadImageA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextLengthW, GetWindowTextW, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageW, GetMessageA, GetMenuStringW, GetMenuStringA, GetMenuState, GetMenuItemInfoW, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassNameA, GetClassLongA, GetClassInfoW, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowExA, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextExA, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DrawAnimatedRects, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcW, DefWindowProcA, DefMDIChildProcW, DefMDIChildProcA, DefFrameProcW, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateMDIWindowW, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPointEx, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, AttachThreadInput, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharUpperA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                    ole32.dllCLSIDFromString, CoTaskMemFree, StringFromCLSID
                    kernel32.dllSleep
                    oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                    ole32.dllCreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateGuid, CLSIDFromProgID, ProgIDFromCLSID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoSetProxyBlanket, CoInitializeSecurity, CoGetClassObject, CoGetMalloc, CoUninitialize, CoInitializeEx, CoInitialize, IsEqualGUID
                    oleaut32.dllCreateErrorInfo, GetErrorInfo, SetErrorInfo, GetActiveObject, SysStringLen, SysFreeString
                    comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                    shell32.dllShell_NotifyIconW, Shell_NotifyIconA, ShellExecuteExW, ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, SHAppBarMessage
                    wininet.dllInternetQueryOptionA, FindNextUrlCacheEntryA, FindFirstUrlCacheEntryA, FindCloseUrlCache, DeleteUrlCacheEntry
                    shell32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder, SHChangeNotify, SHBrowseForFolderA
                    comdlg32.dllPrintDlgA, GetSaveFileNameW, GetSaveFileNameA, GetOpenFileNameW, GetOpenFileNameA
                    kernel32.dllMulDiv
                    wsock32.dllWSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, setsockopt, sendto, send, select, recvfrom, recv, ioctlsocket, inet_addr, htons, connect, closesocket, bind
                    shell32.dllSHGetPathFromIDListA, SHGetSpecialFolderLocation, SHGetMalloc
                    kernel32.dllRtlUnwind
                    SHFolder.dllSHGetFolderPathA
                    advapi32.dllStartServiceA, QueryServiceStatus, OpenServiceA, OpenSCManagerA, EnumServicesStatusA, ControlService, CloseServiceHandle, ChangeServiceConfigA
                    winmm.dlltimeEndPeriod, mciSendCommandA, mciGetErrorStringA
                    comctl32.dllInitCommonControls
                    user32.dllDdeCmpStringHandles, DdeFreeStringHandle, DdeQueryStringA, DdeCreateStringHandleA, DdeGetLastError, DdeFreeDataHandle, DdeUnaccessData, DdeAccessData, DdeCreateDataHandle, DdeClientTransaction, DdeNameService, DdePostAdvise, DdeSetUserHandle, DdeQueryConvInfo, DdeDisconnect, DdeConnect, DdeUninitialize, DdeInitializeA
                    ole32.dllGetHGlobalFromStream, CreateStreamOnHGlobal
                    comctl32.dllImageList_Write
                    kernel32.dllGetVersionExA
                    ADVAPI32.DLLGetNamedSecurityInfoA
                    kernel32.dllGetVolumeNameForVolumeMountPointA
                    PowrProf.dllSetSuspendState
                    kernel32.dllSetFilePointerEx, GetFileSizeEx
                    advapi32.dllGetNamedSecurityInfoW, SetNamedSecurityInfoW
                    kernel32.dllSetFileValidData
                    ole32.dllStgOpenStorageEx, StgCreateStorageEx
                    shell32.dllSHUpdateRecycleBinIcon, ILCombine, SHCreateShellItem
                    kernel32.dllSetThreadExecutionState, TzSpecificLocalTimeToSystemTime
                    ntdll.dllNtSetInformationKey, NtClose, NtCreateFile, RtlInitUnicodeString, RtlCompressBuffer, RtlGetCompressionWorkSpaceSize
                    ADVAPI32.DLLConvertSidToStringSidA
                    psapi.dllEmptyWorkingSet
                    msi.dllMsiQueryProductStateA
                    kernel32.dllGlobalMemoryStatusEx

                    Exports

                    NameOrdinalAddress
                    madTraceProcess10x525f60

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States
                    GermanGermany
                    FrenchFrance

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 31, 2024 11:27:18.423257113 CEST49714443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:18.423295975 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:18.423372984 CEST49714443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:18.428704023 CEST49714443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:18.428719997 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.060359001 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.060551882 CEST49714443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:19.062761068 CEST49714443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:19.062768936 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.062994957 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.106410027 CEST49714443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:19.152506113 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.321569920 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.321628094 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.321799040 CEST49714443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:19.325292110 CEST49714443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:19.325309038 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.325321913 CEST49714443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:19.325328112 CEST4434971494.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.337569952 CEST49715443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:19.337604046 CEST4434971594.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:19.337677956 CEST49715443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:19.337968111 CEST49715443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:19.337984085 CEST4434971594.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:20.066592932 CEST4434971594.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:20.066679001 CEST49715443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:20.067738056 CEST49715443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:20.067749977 CEST4434971594.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:20.067992926 CEST4434971594.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:20.069621086 CEST49715443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:20.116493940 CEST4434971594.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:20.339138985 CEST4434971594.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:20.339205027 CEST4434971594.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:20.339266062 CEST49715443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:20.378001928 CEST49715443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:20.378032923 CEST4434971594.23.156.117192.168.2.6
                    Aug 31, 2024 11:27:20.378046989 CEST49715443192.168.2.694.23.156.117
                    Aug 31, 2024 11:27:20.378051996 CEST4434971594.23.156.117192.168.2.6

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 31, 2024 11:27:18.152189970 CEST6309853192.168.2.61.1.1.1
                    Aug 31, 2024 11:27:18.347718954 CEST53630981.1.1.1192.168.2.6
                    Aug 31, 2024 11:27:19.328217983 CEST5159753192.168.2.61.1.1.1
                    Aug 31, 2024 11:27:19.336911917 CEST53515971.1.1.1192.168.2.6

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Aug 31, 2024 11:27:18.152189970 CEST192.168.2.61.1.1.10x857cStandard query (0)www.privazer.comA (IP address)IN (0x0001)false
                    Aug 31, 2024 11:27:19.328217983 CEST192.168.2.61.1.1.10x5e39Standard query (0)privazer.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Aug 31, 2024 11:27:18.347718954 CEST1.1.1.1192.168.2.60x857cNo error (0)www.privazer.comprivazer.comCNAME (Canonical name)IN (0x0001)false
                    Aug 31, 2024 11:27:18.347718954 CEST1.1.1.1192.168.2.60x857cNo error (0)privazer.com94.23.156.117A (IP address)IN (0x0001)false
                    Aug 31, 2024 11:27:19.336911917 CEST1.1.1.1192.168.2.60x5e39No error (0)privazer.com94.23.156.117A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • www.privazer.com
                    • privazer.com

                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.64971494.23.156.1174431176C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    TimestampBytes transferredDirectionData
                    2024-08-31 09:27:19 UTC198OUTGET /new_version_4.0.092.txt HTTP/1.1
                    Cache-Control: no-cache
                    Connection: Close
                    Pragma: no-cache
                    Accept: */*
                    User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)
                    Host: www.privazer.com
                    2024-08-31 09:27:19 UTC237INHTTP/1.1 301 Moved Permanently
                    Server: nginx
                    Date: Sat, 31 Aug 2024 09:27:19 GMT
                    Content-Type: text/html
                    Content-Length: 162
                    Connection: close
                    Location: https://privazer.com/new_version_4.0.092.txt
                    Alt-Svc: h3=":443"; ma=86400
                    2024-08-31 09:27:19 UTC162INData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.64971594.23.156.1174431176C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    TimestampBytes transferredDirectionData
                    2024-08-31 09:27:20 UTC194OUTGET /new_version_4.0.092.txt HTTP/1.1
                    Cache-Control: no-cache
                    Connection: Close
                    Pragma: no-cache
                    Accept: */*
                    User-Agent: Mozilla/5.0 (Windows; mORMot 1.18 TWinHTTP_)
                    Host: privazer.com
                    2024-08-31 09:27:20 UTC163INHTTP/1.1 404 Not Found
                    Server: nginx
                    Date: Sat, 31 Aug 2024 09:27:20 GMT
                    Content-Type: text/html; charset=iso-8859-1
                    Content-Length: 196
                    Connection: close
                    2024-08-31 09:27:20 UTC196INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:05:27:04
                    Start date:31/08/2024
                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Heur.7529.3828.exe"
                    Imagebase:0x400000
                    File size:29'240'904 bytes
                    MD5 hash:6EEC575753A25441C6FADE4F961195C4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:Borland Delphi
                    Yara matches:
                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2102917811.0000000000A86000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2102968553.00000000012BB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:0.6%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:13.3%
                      Total number of Nodes:211
                      Total number of Limit Nodes:11
                      execution_graph 45429 5bf52f8 45430 5bf5558 45429->45430 45431 5bf5310 45429->45431 45432 5bf551c 45430->45432 45433 5bf5670 45430->45433 45441 5bf5322 45431->45441 45444 5bf53ad Sleep 45431->45444 45442 5bf5536 Sleep 45432->45442 45445 5bf5576 45432->45445 45434 5bf5679 45433->45434 45435 5bf50a0 VirtualAlloc 45433->45435 45438 5bf50db 45435->45438 45439 5bf50cb 45435->45439 45436 5bf5331 45437 5bf5594 45453 5bf5058 Sleep Sleep 45439->45453 45441->45436 45446 5bf5410 45441->45446 45448 5bf53f1 Sleep 45441->45448 45443 5bf554c Sleep 45442->45443 45442->45445 45443->45432 45444->45441 45447 5bf53c3 Sleep 45444->45447 45445->45437 45449 5bf4fe0 VirtualAlloc 45445->45449 45452 5bf541c 45446->45452 45454 5bf4fe0 45446->45454 45447->45431 45448->45446 45451 5bf5407 Sleep 45448->45451 45449->45437 45451->45441 45453->45438 45458 5bf4f74 45454->45458 45456 5bf4fe8 VirtualAlloc 45457 5bf4fff 45456->45457 45457->45452 45459 5bf4f14 45458->45459 45459->45456 45460 5cbb8ec GetClassInfoW 45461 5cbb91c 45460->45461 45462 5cbb945 45461->45462 45463 5cbb93b RegisterClassW 45461->45463 45464 5cbb92a UnregisterClassW 45461->45464 45470 5c03134 45462->45470 45463->45462 45464->45463 45466 5cbb973 45467 5cbb990 45466->45467 45474 5cbb754 45466->45474 45469 5cbb987 SetWindowLongW 45469->45467 45477 5bf6b84 45470->45477 45472 5c03147 CreateWindowExW 45473 5c03181 45472->45473 45473->45466 45475 5cbb764 VirtualAlloc 45474->45475 45476 5cbb792 45474->45476 45475->45476 45476->45469 45477->45472 45478 5bfde88 GetSystemInfo 45479 5bfc264 45480 5bfc290 45479->45480 45481 5bfc274 GetModuleFileNameW 45479->45481 45483 5bfd4dc GetModuleFileNameW 45481->45483 45484 5bfd52a 45483->45484 45493 5bfd3b8 45484->45493 45486 5bfd556 45487 5bfd570 45486->45487 45488 5bfd568 LoadLibraryExW 45486->45488 45519 5bf9d88 45487->45519 45488->45487 45494 5bfd3d9 45493->45494 45495 5bf9d28 12 API calls 45494->45495 45496 5bfd3f6 45495->45496 45497 5bfd461 45496->45497 45527 5bfa150 45496->45527 45499 5bf9d88 12 API calls 45497->45499 45500 5bfd4ce 45499->45500 45500->45486 45501 5bfd43c 45531 5bfd0f4 45501->45531 45506 5bfd454 45508 5bfd220 14 API calls 45506->45508 45507 5bfd463 GetUserDefaultUILanguage 45539 5bfcaa4 EnterCriticalSection 45507->45539 45508->45497 45513 5bfd4a5 45513->45497 45576 5bfd2ec 45513->45576 45514 5bfd48b GetSystemDefaultUILanguage 45515 5bfcaa4 29 API calls 45514->45515 45517 5bfd498 45515->45517 45518 5bfd220 14 API calls 45517->45518 45518->45513 45520 5bf9d8e 45519->45520 45521 5bf9db4 45520->45521 45663 5bf6788 12 API calls 45520->45663 45523 5bf9d28 45521->45523 45524 5bf9d2e 45523->45524 45525 5bf9d49 45523->45525 45524->45525 45664 5bf6788 12 API calls 45524->45664 45525->45480 45529 5bfa154 45527->45529 45528 5bfa178 45528->45501 45594 5bfae84 45528->45594 45529->45528 45598 5bf6788 12 API calls 45529->45598 45532 5bfd116 45531->45532 45534 5bfd128 45531->45534 45599 5bfcdd8 45532->45599 45537 5bf9d28 12 API calls 45534->45537 45535 5bfd120 45623 5bfd158 12 API calls 45535->45623 45538 5bfd14a 45537->45538 45538->45506 45538->45507 45540 5bfcaf0 LeaveCriticalSection 45539->45540 45541 5bfcad0 45539->45541 45542 5bf9d28 12 API calls 45540->45542 45543 5bfcae1 LeaveCriticalSection 45541->45543 45544 5bfcb01 IsValidLocale 45542->45544 45545 5bfcb92 45543->45545 45546 5bfcb5f EnterCriticalSection 45544->45546 45547 5bfcb10 45544->45547 45552 5bf9d28 12 API calls 45545->45552 45548 5bfcb77 45546->45548 45549 5bfcb19 45547->45549 45550 5bfcb24 45547->45550 45558 5bfcb88 LeaveCriticalSection 45548->45558 45626 5bfc988 18 API calls 45549->45626 45627 5bfc78c 15 API calls 45550->45627 45555 5bfcba7 45552->45555 45554 5bfcb2d GetSystemDefaultUILanguage 45554->45546 45557 5bfcb37 45554->45557 45564 5bfd220 45555->45564 45556 5bfcb22 45556->45546 45559 5bfcb48 GetSystemDefaultUILanguage 45557->45559 45628 5bfa108 12 API calls 45557->45628 45558->45545 45629 5bfc78c 15 API calls 45559->45629 45562 5bfcb55 45630 5bfa108 12 API calls 45562->45630 45565 5bfd23e 45564->45565 45566 5bf9d28 12 API calls 45565->45566 45573 5bfd25b 45566->45573 45567 5bfd2b9 45568 5bf9d28 12 API calls 45567->45568 45569 5bfd2c0 45568->45569 45570 5bf9d88 12 API calls 45569->45570 45571 5bfd2da 45570->45571 45571->45513 45571->45514 45572 5bfae84 12 API calls 45572->45573 45573->45567 45573->45569 45573->45572 45631 5bfad14 45573->45631 45642 5bfd1b4 45573->45642 45652 5bf9e0c 45576->45652 45579 5bfd33c 45580 5bfad14 12 API calls 45579->45580 45581 5bfd349 45580->45581 45582 5bfd1b4 14 API calls 45581->45582 45584 5bfd350 45582->45584 45583 5bfd389 45585 5bf9d88 12 API calls 45583->45585 45584->45583 45586 5bfad14 12 API calls 45584->45586 45587 5bfd3a3 45585->45587 45588 5bfd377 45586->45588 45589 5bf9d28 12 API calls 45587->45589 45590 5bfd1b4 14 API calls 45588->45590 45591 5bfd3ab 45589->45591 45592 5bfd37e 45590->45592 45591->45497 45592->45583 45593 5bf9d28 12 API calls 45592->45593 45593->45583 45595 5bfae8f 45594->45595 45654 5bf9eb0 45595->45654 45598->45528 45600 5bfcdef 45599->45600 45601 5bfce03 GetModuleFileNameW 45600->45601 45602 5bfce18 45600->45602 45601->45602 45603 5bfcfe7 45602->45603 45604 5bfce40 RegOpenKeyExW 45602->45604 45609 5bf9d28 12 API calls 45603->45609 45605 5bfce67 RegOpenKeyExW 45604->45605 45606 5bfcf01 45604->45606 45605->45606 45607 5bfce85 RegOpenKeyExW 45605->45607 45624 5bfcbe8 7 API calls 45606->45624 45607->45606 45610 5bfcea3 RegOpenKeyExW 45607->45610 45612 5bfcffc 45609->45612 45610->45606 45613 5bfcec1 RegOpenKeyExW 45610->45613 45611 5bfcf1f RegQueryValueExW 45614 5bfcf3d 45611->45614 45615 5bfcf70 RegQueryValueExW 45611->45615 45612->45535 45613->45606 45616 5bfcedf RegOpenKeyExW 45613->45616 45619 5bfcf45 RegQueryValueExW 45614->45619 45617 5bfcf8c 45615->45617 45618 5bfcf6e 45615->45618 45616->45603 45616->45606 45621 5bfcf94 RegQueryValueExW 45617->45621 45620 5bfcfd6 RegCloseKey 45618->45620 45625 5bf6788 12 API calls 45618->45625 45619->45618 45620->45535 45621->45618 45623->45534 45624->45611 45625->45620 45626->45556 45627->45554 45628->45559 45629->45562 45630->45546 45632 5bfad18 45631->45632 45633 5bfad86 45631->45633 45634 5bfa108 45632->45634 45635 5bfad20 45632->45635 45636 5bfa14c 45634->45636 45649 5bf6788 12 API calls 45634->45649 45635->45633 45639 5bfad2f 45635->45639 45650 5bfa108 12 API calls 45635->45650 45636->45573 45639->45633 45651 5bfa108 12 API calls 45639->45651 45641 5bfad82 45641->45573 45643 5bfd1c9 45642->45643 45644 5bfd1e6 FindFirstFileW 45643->45644 45645 5bfd1fc 45644->45645 45646 5bfd1f6 FindClose 45644->45646 45647 5bf9d28 12 API calls 45645->45647 45646->45645 45648 5bfd211 45647->45648 45648->45573 45649->45636 45650->45639 45651->45641 45653 5bf9e10 GetUserDefaultUILanguage GetLocaleInfoW 45652->45653 45653->45579 45655 5bf9ec0 45654->45655 45658 5bf9d4c 45655->45658 45659 5bf9d6d 45658->45659 45660 5bf9d52 45658->45660 45659->45501 45660->45659 45662 5bf6788 12 API calls 45660->45662 45662->45659 45663->45520 45664->45525 45665 5e40368 45670 5bfef58 45665->45670 45671 5bfef63 45670->45671 45675 5bf9718 45671->45675 45673 5bfefa3 45674 5bf9a5c 12 API calls 45673->45674 45676 5bf972c GetCurrentThreadId 45675->45676 45677 5bf9727 45675->45677 45678 5bf9762 45676->45678 45677->45676 45679 5bf97d5 45678->45679 45680 5bf9a84 45678->45680 45681 5bf9a73 45678->45681 45679->45673 45682 5bf9a8d GetCurrentThreadId 45680->45682 45685 5bf9a9a 45680->45685 45691 5bf99c4 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 45681->45691 45682->45685 45684 5bf9a7d 45684->45680 45686 5bf6830 12 API calls 45685->45686 45687 5bf9b2d FreeLibrary 45685->45687 45688 5bf9b55 45685->45688 45686->45685 45687->45685 45689 5bf9b5e 45688->45689 45690 5bf9b64 ExitProcess 45688->45690 45689->45690 45691->45684

                      Executed Functions

                      Function 05BFD2EC Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,05BFD3AC,?,?), ref: 05BFD31E
                      • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,05BFD3AC,?,?), ref: 05BFD327
                        • Part of subcall function 05BFD1B4: FindFirstFileW.KERNEL32(00000000,?,00000000,05BFD212,?,00000001), ref: 05BFD1E7
                        • Part of subcall function 05BFD1B4: FindClose.KERNEL32(00000000,00000000,?,00000000,05BFD212,?,00000001), ref: 05BFD1F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                      • String ID:
                      • API String ID: 3216391948-0
                      • Opcode ID: a602e83dfdcb42171184952f855d971ccc8c86667fe01dfefcf1781503a8e5d6
                      • Instruction ID: dcf810f02baea21dcdc63f900dc201cc59e7cde998303183f99b033dec2a0d4c
                      • Opcode Fuzzy Hash: a602e83dfdcb42171184952f855d971ccc8c86667fe01dfefcf1781503a8e5d6
                      • Instruction Fuzzy Hash: 13113A74B00209AFDF04EBA4C985AAEB7B9EF44700F6044F5A714E7291DB747E0C8765
                      Function 05BFD1B4 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,00000000,05BFD212,?,00000001), ref: 05BFD1E7
                      • FindClose.KERNEL32(00000000,00000000,?,00000000,05BFD212,?,00000001), ref: 05BFD1F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID:
                      • API String ID: 2295610775-0
                      • Opcode ID: 43ef3002963224826e89ebc4fa98f06e1e19fc0339845f6f7d35c414de77f3d7
                      • Instruction ID: 67e4515e219e48dd0da2a1d39548bf34b9206103b34f5fde90208ff1b699b584
                      • Opcode Fuzzy Hash: 43ef3002963224826e89ebc4fa98f06e1e19fc0339845f6f7d35c414de77f3d7
                      • Instruction Fuzzy Hash: ADF0E230640208AECB20FBB4CD4699EB3ACEF483107A005F0A604D3160EB34BF0CA764
                      Function 05BFDE88 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 218 5bfde88-5bfde98 GetSystemInfo
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: InfoSystem
                      • String ID:
                      • API String ID: 31276548-0
                      • Opcode ID: b03502c8a0c4c62d3fa64f86d652dfc5c6bad546fe67d67334ae875eb94abd9a
                      • Instruction ID: 628a7eb864f0907cbc62895ae15b3bf50727c2d38d3dd011935f7dd689513cd6
                      • Opcode Fuzzy Hash: b03502c8a0c4c62d3fa64f86d652dfc5c6bad546fe67d67334ae875eb94abd9a
                      • Instruction Fuzzy Hash: 9FA012105084000AC904E7184D4650B31D01940010FC4029864AC95383E606956803DB
                      Function 05BFCDD8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,05BFCFFD,?,?), ref: 05BFCE11
                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,05BFCFFD,?,?), ref: 05BFCE5A
                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,05BFCFFD,?,?), ref: 05BFCE7C
                      • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 05BFCE9A
                      • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 05BFCEB8
                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 05BFCED6
                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 05BFCEF4
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,05BFCFE0,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,05BFCFFD), ref: 05BFCF34
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,05BFCFE0,?,80000001), ref: 05BFCF5F
                      • RegCloseKey.ADVAPI32(?,05BFCFE7,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,05BFCFE0,?,80000001,Software\Embarcadero\Locales), ref: 05BFCFDA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Open$QueryValue$CloseFileModuleName
                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                      • API String ID: 2701450724-3496071916
                      • Opcode ID: cf54e5006225415969424a72eb82ea7dc76f1d0bf3618808398e83587b8d072f
                      • Instruction ID: 975d1549a93c784f1b55f3ba8b90dfe33ee75a1f062899c5fd2a8be68fcf9505
                      • Opcode Fuzzy Hash: cf54e5006225415969424a72eb82ea7dc76f1d0bf3618808398e83587b8d072f
                      • Instruction Fuzzy Hash: EC512F75B8460CBEEB20DBA4CC55FAEB7BCEB08700F5044E1BB04E6192D671BA8C9755
                      Function 05CBB8EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetClassInfoW.USER32(MZP,05CBB8D0,?), ref: 05CBB90D
                      • UnregisterClassW.USER32(05CBB8D0,MZP), ref: 05CBB936
                      • RegisterClassW.USER32(05E44888), ref: 05CBB940
                      • SetWindowLongW.USER32(00000000,000000FC,00000000), ref: 05CBB98B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Class$InfoLongRegisterUnregisterWindow
                      • String ID: MZP
                      • API String ID: 4025006896-2889622443
                      • Opcode ID: 51ae1e35b1a5aa0c5647ba735e01a359d103656ee5dcf3512ee7bda4d02eef3e
                      • Instruction ID: 04669011cb1991a5ba2149521368e061e5a9a3d3d4f3c424928522e9ab426c5c
                      • Opcode Fuzzy Hash: 51ae1e35b1a5aa0c5647ba735e01a359d103656ee5dcf3512ee7bda4d02eef3e
                      • Instruction Fuzzy Hash: 5D01A1757141546BEF01EBA9DC85FAA37ECE708218F105940B984E72C1CEB1D9068B90
                      Function 05BF9718 Relevance: 6.2, APIs: 4, Instructions: 158threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 49 5bf9718-5bf9725 50 5bf972c-5bf9760 GetCurrentThreadId 49->50 51 5bf9727 49->51 52 5bf9764-5bf9790 call 5bf95fc 50->52 53 5bf9762 50->53 51->50 56 5bf9799-5bf97a0 52->56 57 5bf9792-5bf9794 52->57 53->52 59 5bf97aa-5bf97b0 56->59 60 5bf97a2-5bf97a5 56->60 57->56 58 5bf9796 57->58 58->56 61 5bf97b5-5bf97bc 59->61 62 5bf97b2 59->62 60->59 63 5bf97be-5bf97c5 61->63 64 5bf97cb-5bf97cf 61->64 62->61 63->64 65 5bf9a5c-5bf9a71 64->65 66 5bf97d5 call 5bf96ac 64->66 68 5bf9a84-5bf9a8b 65->68 69 5bf9a73-5bf9a7f call 5bf993c call 5bf99c4 65->69 72 5bf97da 66->72 70 5bf9aae-5bf9ab2 68->70 71 5bf9a8d-5bf9a98 GetCurrentThreadId 68->71 69->68 75 5bf9ac8-5bf9acc 70->75 76 5bf9ab4-5bf9ab7 70->76 71->70 74 5bf9a9a-5bf9aa9 call 5bf961c call 5bf9998 71->74 74->70 80 5bf9ace-5bf9ad5 75->80 81 5bf9adc-5bf9ae5 call 5bf6830 75->81 76->75 79 5bf9ab9-5bf9ac6 76->79 79->75 80->81 84 5bf9ad7-5bf9ad9 80->84 90 5bf9af9-5bf9b02 call 5bf9644 81->90 91 5bf9ae7-5bf9af7 call 5bf7fcc call 5bf6830 81->91 84->81 97 5bf9b0d-5bf9b12 90->97 98 5bf9b04-5bf9b0b 90->98 91->90 100 5bf9b33-5bf9b3e call 5bf961c 97->100 101 5bf9b14-5bf9b27 call 5bfd6fc 97->101 98->97 98->100 106 5bf9b43-5bf9b47 100->106 107 5bf9b40 100->107 101->100 108 5bf9b29-5bf9b2b 101->108 109 5bf9b49-5bf9b4b call 5bf9998 106->109 110 5bf9b50-5bf9b53 106->110 107->106 108->100 111 5bf9b2d-5bf9b2e FreeLibrary 108->111 109->110 113 5bf9b6f-5bf9b7e 110->113 114 5bf9b55-5bf9b5c 110->114 111->100 113->75 115 5bf9b5e 114->115 116 5bf9b64-5bf9b6a ExitProcess 114->116 115->116
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 05BF974F
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: CurrentThread
                      • String ID:
                      • API String ID: 2882836952-0
                      • Opcode ID: 9abc4b3615ef6a9d65cb9477993e0063f14fdc662f9d497905f83ece1fd987e7
                      • Instruction ID: a6aa0dc35b262e035918c65df1c4d9af3bd2590f77f945ef7e4f573e04000ece
                      • Opcode Fuzzy Hash: 9abc4b3615ef6a9d65cb9477993e0063f14fdc662f9d497905f83ece1fd987e7
                      • Instruction Fuzzy Hash: 0C519B746043448FDF24EF69D089B6A7BE1FB08354F1445D9EA498B242CB74F88ACF64
                      Function 05BFD3B8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetUserDefaultUILanguage.KERNEL32(00000000,05BFD4CF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,05BFD556,00000000,?,00000105), ref: 05BFD463
                      • GetSystemDefaultUILanguage.KERNEL32(00000000,05BFD4CF,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,05BFD556,00000000,?,00000105), ref: 05BFD48B
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: DefaultLanguage$SystemUser
                      • String ID:
                      • API String ID: 384301227-0
                      • Opcode ID: d1ed0d64df0e0a7b54d8175f387d6cb614e6167327041171a18c9e1da77477af
                      • Instruction ID: f084e1fb542763126d1f3ae9cb2c6517875660a3d493e24fffe19f355d7ac3e0
                      • Opcode Fuzzy Hash: d1ed0d64df0e0a7b54d8175f387d6cb614e6167327041171a18c9e1da77477af
                      • Instruction Fuzzy Hash: EB312B34B142099FDF14EF98C885BAEB7B5FF88300F5041E5E610A7250DB74BD898B90
                      Function 05BFD4DC Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,05BFD596,?,05BF0000,05E41C24), ref: 05BFD518
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,05BFD596,?,05BF0000,05E41C24), ref: 05BFD569
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: FileLibraryLoadModuleName
                      • String ID:
                      • API String ID: 1159719554-0
                      • Opcode ID: 4db240974f34ba2caf3da83b5fa78cff24a0bd03a82912b651115262ea096e33
                      • Instruction ID: 80be0a77dfec639487964f3ee9d868510e23eb30248cfc192c34c2cffa2d11d2
                      • Opcode Fuzzy Hash: 4db240974f34ba2caf3da83b5fa78cff24a0bd03a82912b651115262ea096e33
                      • Instruction Fuzzy Hash: 6911A330B4031CAFDB24EB64CC89BDE73B8EB08700F5140E6A608A3291DA707F88CB55
                      Function 05C03134 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 207 5c03134-5c03188 call 5bf6b84 CreateWindowExW call 5bf6b74
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05C03173
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: aa7b4647e801c16ac1f458cd8db686cc17b15f90949beb062310c21079636443
                      • Instruction ID: ac3c7adfcff224b5eb568243d3dc5241dbac86bcefed52baa62359415a30827a
                      • Opcode Fuzzy Hash: aa7b4647e801c16ac1f458cd8db686cc17b15f90949beb062310c21079636443
                      • Instruction Fuzzy Hash: 43F09DB2700158BF8B84DEADDC85EDB77ECEB4D2A4B054165FA0CD3200D630ED118BA4
                      Function 05BFC264 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 212 5bfc264-5bfc272 213 5bfc29f-5bfc2aa 212->213 214 5bfc274-5bfc28b GetModuleFileNameW call 5bfd4dc 212->214 216 5bfc290-5bfc297 214->216 216->213 217 5bfc299-5bfc29c 216->217 217->213
                      APIs
                      • GetModuleFileNameW.KERNEL32(05BF0000,?,0000020A), ref: 05BFC282
                        • Part of subcall function 05BFD4DC: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,05BFD596,?,05BF0000,05E41C24), ref: 05BFD518
                        • Part of subcall function 05BFD4DC: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,05BFD596,?,05BF0000,05E41C24), ref: 05BFD569
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: FileModuleName$LibraryLoad
                      • String ID:
                      • API String ID: 4113206344-0
                      • Opcode ID: 8168c112ce954252870e58858127cfd94e889c3a9e3b8d96549f6cbcb46248a5
                      • Instruction ID: a4b3f433e59b6196d4fc0244e68ce367ad121c136236e73f81cc0c4a9c982d7b
                      • Opcode Fuzzy Hash: 8168c112ce954252870e58858127cfd94e889c3a9e3b8d96549f6cbcb46248a5
                      • Instruction Fuzzy Hash: 66E0C9B1A003149FDB50DEACC8C4A563794AB08754F044991AE18CF246D371E95487D1
                      Function 05CBB754 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 219 5cbb754-5cbb762 220 5cbb7d0-5cbb7e9 219->220 221 5cbb764-5cbb78d VirtualAlloc call 5bf6930 219->221 223 5cbb792-5cbb7a2 call 5cbb74c 221->223 226 5cbb7a5-5cbb7c8 call 5cbb74c 223->226 229 5cbb7ca 226->229 229->220
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 05CBB772
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: a3be42215110dc6f7b04a1e9e5f2889f63baebf0b66bd9fd71d59b84452c901f
                      • Instruction ID: 12b31211072219643a5fb534a1ea92775605d4cb1d5d982d7febdd2f547f9f4f
                      • Opcode Fuzzy Hash: a3be42215110dc6f7b04a1e9e5f2889f63baebf0b66bd9fd71d59b84452c901f
                      • Instruction Fuzzy Hash: 71114C787007058BD720DF19C885B92F7F5EF88790F20852AE99C9B384D7B0E9059BA4
                      Function 05BF4FE0 Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 230 5bf4fe0-5bf4ffd call 5bf4f74 VirtualAlloc 233 5bf4fff-5bf504b 230->233 234 5bf504c-5bf5056 230->234
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,05BF55F3,?,05BF5B98), ref: 05BF4FF6
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: ffe6ce6c1d98c951166bf96eb9fcf3243d82659fb1ee46dfe26ac188ce292d28
                      • Instruction ID: 057b66ceb1043a1a66742de9d1d2cb8489133cee8beeb9af9e31532ee9863830
                      • Opcode Fuzzy Hash: ffe6ce6c1d98c951166bf96eb9fcf3243d82659fb1ee46dfe26ac188ce292d28
                      • Instruction Fuzzy Hash: 54F049B0B153009FEB048F7A99467067AD2F789308F1085BDE649DB788EB7195079B80

                      Non-executed Functions

                      Function 05BFCBE8 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,05C0C83C,?,?), ref: 05BFCC05
                      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 05BFCC16
                      • FindFirstFileW.KERNEL32(?,?,kernel32.dll,05C0C83C,?,?), ref: 05BFCD16
                      • FindClose.KERNEL32(?,?,?,kernel32.dll,05C0C83C,?,?), ref: 05BFCD28
                      • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,05C0C83C,?,?), ref: 05BFCD34
                      • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,05C0C83C,?,?), ref: 05BFCD79
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                      • String ID: GetLongPathNameW$\$kernel32.dll
                      • API String ID: 1930782624-3908791685
                      • Opcode ID: c04b51a92cf7c9815cef735013927d9b1c930dfb4fa5a5032d22abf69e388e7d
                      • Instruction ID: b824f4eaba5f2fa126796a90fc0eab279dadbdbf519a528bc0616c7c736f95ed
                      • Opcode Fuzzy Hash: c04b51a92cf7c9815cef735013927d9b1c930dfb4fa5a5032d22abf69e388e7d
                      • Instruction Fuzzy Hash: 5741A375A0851CABCB14DF98CC89ADEBBB5EF44310F1445E4C605E3645E774BE88CB85
                      Function 05CAAE54 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceW.KERNEL32(?,?,?,05C8602C,?,00000001,00000000,?,05CAAD42,00000000,?,?,?,?,?,05C9F971), ref: 05CAAE6B
                      • LoadResource.KERNEL32(?,05CAAEF0,?,?,?,05C8602C,?,00000001,00000000,?,05CAAD42,00000000,?), ref: 05CAAE85
                      • SizeofResource.KERNEL32(?,05CAAEF0,?,05CAAEF0,?,?,?,05C8602C,?,00000001,00000000,?,05CAAD42,00000000,?), ref: 05CAAE9F
                      • LockResource.KERNEL32(05CAA894,00000000,?,05CAAEF0,?,05CAAEF0,?,?,?,05C8602C,?,00000001,00000000,?,05CAAD42,00000000), ref: 05CAAEA9
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Resource$FindLoadLockSizeof
                      • String ID:
                      • API String ID: 3473537107-0
                      • Opcode ID: 2b1fb139b91b21e1fbd72ad4b39ed526741366a05c8f379dc28af1c117997ba8
                      • Instruction ID: 5b54a2a352af24f64ebd3a86fd6a5b28fc21f3864ae13231fdb51c89fcc2a827
                      • Opcode Fuzzy Hash: 2b1fb139b91b21e1fbd72ad4b39ed526741366a05c8f379dc28af1c117997ba8
                      • Instruction Fuzzy Hash: 5CF069B76002056F5749EEACEC88D6B7BEDEE88264320082AF908C7201DA34DE119774
                      Function 05BFC78C Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                      • IsValidLocale.KERNEL32(?,00000002,00000000,05BFC8F1,?,05C0C83C,?,00000000), ref: 05BFC836
                      • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,05BFC8F1,?,05C0C83C,?,00000000), ref: 05BFC852
                      • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,05BFC8F1,?,05C0C83C,?,00000000), ref: 05BFC863
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Locale$Info$Valid
                      • String ID:
                      • API String ID: 1826331170-0
                      • Opcode ID: c375c8bc90762fd6d3fd32b5369ee4281fb2b88ef8497f0971023c84ba607af1
                      • Instruction ID: 0039afbbe49ac69a4813dc040a3dd2deba5a6bc433ce944cc99279273d05303a
                      • Opcode Fuzzy Hash: c375c8bc90762fd6d3fd32b5369ee4281fb2b88ef8497f0971023c84ba607af1
                      • Instruction Fuzzy Hash: 89314B34A4871CAADF24DF54EC85BFABBBAEB44701F5000E5A608A3250D6356EC8DF51
                      Function 05CB908C Relevance: 3.1, APIs: 2, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(00000000,05CB9147), ref: 05CB90BE
                      • RaiseException.KERNEL32(406D1388,00000000,00000004,00001000,00000000,05CB9119,?,00000000,05CB9147), ref: 05CB910A
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: DebuggerExceptionPresentRaise
                      • String ID:
                      • API String ID: 1899633966-0
                      • Opcode ID: b11c459313b5a6d766b32c31f8b8d93ca3efec35653b73a0ca08536efacac7f7
                      • Instruction ID: f8045ef7e567865b1e88f6104624e936460921488df851c587a8c7abe042871c
                      • Opcode Fuzzy Hash: b11c459313b5a6d766b32c31f8b8d93ca3efec35653b73a0ca08536efacac7f7
                      • Instruction Fuzzy Hash: DF11B974A0420CAFDB01DFA4DC45ADEFBBCFB49700F514875EA00D2650E7746A04EB94
                      Function 05C12E28 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,00000000,?,05C12EEF,00000000,?,?,?,05E377AD,00000000,05E37A80), ref: 05C12E43
                      • FindClose.KERNEL32(00000000,00000000,?,00000000,?,05C12EEF,00000000,?,?,?,05E377AD,00000000,05E37A80), ref: 05C12E4E
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID:
                      • API String ID: 2295610775-0
                      • Opcode ID: b8366ea0f27471ebd39a999bc58489bf427c3775e3663f7bd6956254fc2ee153
                      • Instruction ID: 20cf37e23534d068f936cac844f8c7213e90bb33fd57523b2801ee403f4d5cc2
                      • Opcode Fuzzy Hash: b8366ea0f27471ebd39a999bc58489bf427c3775e3663f7bd6956254fc2ee153
                      • Instruction Fuzzy Hash: D4E0C22A60430C12CB50A5F94C8CB9B738C6F05226F040FA56D5DD22E1EA34DA5511AD
                      Function 05C1310C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 05C1312D
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: DiskFreeSpace
                      • String ID:
                      • API String ID: 1705453755-0
                      • Opcode ID: d2330292169a880a60f12240afdcbaa290ed9ab9d28d5b0c562dc4c91a9e0ffc
                      • Instruction ID: dc9152f52fae76a03ad9a9e013b190f380e94d16bd0f013db22f41a6e8718d26
                      • Opcode Fuzzy Hash: d2330292169a880a60f12240afdcbaa290ed9ab9d28d5b0c562dc4c91a9e0ffc
                      • Instruction Fuzzy Hash: 3811D2B5E00209AF9B44CF99C881DEFF7F9FFC9710B54C559A505E7254E6319A018BA0
                      Function 05C16DE4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000000,0000100B,?,00000100,00000000,00000000,?,05C176DF,?,?), ref: 05C16E02
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: InfoLocale
                      • String ID:
                      • API String ID: 2299586839-0
                      • Opcode ID: f2e288f7fe17643df1779f3372ed84631c3bd7de7588053f5dead04bb272934f
                      • Instruction ID: 8688d6005f5d9b8efa6cb815a3a653e02c2a02376c2701374fd8545c9ca6e41a
                      • Opcode Fuzzy Hash: f2e288f7fe17643df1779f3372ed84631c3bd7de7588053f5dead04bb272934f
                      • Instruction Fuzzy Hash: 3EE0D83270021857D314A9989C8DAF6B35DAB49210F4046AABE09C7381FD70BE8447E8
                      Function 05C1A510 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      • EnumSystemLocalesW.KERNEL32(05C1A30C,00000002,?,?,05C1A86D,05C172B5,?,00000000,05C172F6,?,?,?,00000000,00000000), ref: 05C1A53D
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: EnumLocalesSystem
                      • String ID:
                      • API String ID: 2099609381-0
                      • Opcode ID: b4d10e0d43ba39bc1980a15d20347133b759cee9bdacd76c38edb360ef6cbd0a
                      • Instruction ID: 974396a85c5313d641ab6dba0d2848cb42235c88724a5344c17539cecaf6562c
                      • Opcode Fuzzy Hash: b4d10e0d43ba39bc1980a15d20347133b759cee9bdacd76c38edb360ef6cbd0a
                      • Instruction Fuzzy Hash: 3CE08662746D6097C220B3A90C49B6A76459F42EA0F0859B0FE488B395EA21590923EA
                      Function 05C16E30 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,00000000,00000000,?,05C16F3C,?,?,?,05D76C4D,?,00000000,05D76C6A), ref: 05C16E43
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: InfoLocale
                      • String ID:
                      • API String ID: 2299586839-0
                      • Opcode ID: e01ec91f596c7d761c0c4977858bf3dded33751e31496f204c550446c9145276
                      • Instruction ID: 0cb16057f7167f115c1f04ce71ce4ad7995521c5d41bf5fd65e1fdb163444fa3
                      • Opcode Fuzzy Hash: e01ec91f596c7d761c0c4977858bf3dded33751e31496f204c550446c9145276
                      • Instruction Fuzzy Hash: BCD0A7AA309220BAE214929BAD88D7756DDDFC5B71F004D36BE4CC6140E220CC45E378
                      Function 05C1A328 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000000,00000003,?,00000400,?,05C1A3CC,?,00000000,05C1A4D9,?,?,?,00000000,00000000,?,05C1A322), ref: 05C1A343
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: InfoLocale
                      • String ID:
                      • API String ID: 2299586839-0
                      • Opcode ID: 99d1c1e7b46ec458281b5d6190f7fd86781081a09c46e2229d1a170c3084d1a2
                      • Instruction ID: 02d99868d14f643eb8059e689ea3dc8d4e750f8454bf6de1f712055b38447434
                      • Opcode Fuzzy Hash: 99d1c1e7b46ec458281b5d6190f7fd86781081a09c46e2229d1a170c3084d1a2
                      • Instruction Fuzzy Hash: A5D0A7D1B1420013E3041254CC49B2A21899B84B00F50442C7788973C0EE7C680953AE
                      Function 05BFDE9C Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Version
                      • String ID:
                      • API String ID: 1889659487-0
                      • Opcode ID: 663f5790d51b4d5f91e6df8aa246d9f0d82c8ada4b5d4a510d89d768b2faf4bd
                      • Instruction ID: 1df3ac9d644316b41c8f369246ad314c716a9a4055e5d2f8cb07c4e53d3e2e67
                      • Opcode Fuzzy Hash: 663f5790d51b4d5f91e6df8aa246d9f0d82c8ada4b5d4a510d89d768b2faf4bd
                      • Instruction Fuzzy Hash: 55D0C979B3158749DF208610DA8677C36A2F3A1708FE5C6F1C34285A8ADBBDB0CB9741
                      Function 05C15288 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: LocalTime
                      • String ID:
                      • API String ID: 481472006-0
                      • Opcode ID: 3035a859a6e6951f399c5cc76d7050b6a4065ae624648ebe7450bcd19eac16d1
                      • Instruction ID: 7ec7b0e59238e7a7dba54c6d2768ff4e6e9e733fe30b1a974867c4401b03993e
                      • Opcode Fuzzy Hash: 3035a859a6e6951f399c5cc76d7050b6a4065ae624648ebe7450bcd19eac16d1
                      • Instruction Fuzzy Hash: DDA0120440482001814033184C0A53870405801520FC40F40A8F8502D0E91D41205197
                      Function 05C3080C Relevance: .5, Instructions: 500COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a7808a27f8b824b060de6a7dcd5a002d2744c8d8e5733ca2dac347654d6275a8
                      • Instruction ID: d757eb68c2fbdee4139b950a445b68e01135dee18c4c958dae2e345ef2b22fbc
                      • Opcode Fuzzy Hash: a7808a27f8b824b060de6a7dcd5a002d2744c8d8e5733ca2dac347654d6275a8
                      • Instruction Fuzzy Hash: 4A32B172D00628CFDB55CF69C540589F7F6FF8A724B2A82D6D818BB229D2706E41DF90
                      Function 05CA6ED8 Relevance: .1, Instructions: 146COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4e21d7c4152f06780a3d863b374727b54d3acf944f04436f805944476736ccae
                      • Instruction ID: 2515c8fbf60aca16ff5eef4c95f0362b226ad37c751a386f1bec8a005c69269d
                      • Opcode Fuzzy Hash: 4e21d7c4152f06780a3d863b374727b54d3acf944f04436f805944476736ccae
                      • Instruction Fuzzy Hash: 78515271A04144AFE740CB69CD84B5EBBF6EFC8301F19C4A4E888D7245D635EE15DBA1
                      Function 05CA71B8 Relevance: .1, Instructions: 146COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fc50a85fe2b8778a9ca7fbec457c5947768c9476a6d997d4dc0208159531c0e9
                      • Instruction ID: 7d5461b06e0be7a8766f8e9af8e522f96b70729c1dd5741a08f9e607c048c8ec
                      • Opcode Fuzzy Hash: fc50a85fe2b8778a9ca7fbec457c5947768c9476a6d997d4dc0208159531c0e9
                      • Instruction Fuzzy Hash: 21516071A04144AFE740CB69CD84A6EBBF6EFC8301F59C4A4E888D7245D634EE15EBA1
                      Function 05CB174C Relevance: .1, Instructions: 102COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 13f8928c1cc1b431e54da796f7aa29c7781ccca33b0183ad223ae88f47a4ff18
                      • Instruction ID: 0cf14e14e99602238eac9dedbaf54f96e6b0f6a329ecf2ad7def33ac00fecee9
                      • Opcode Fuzzy Hash: 13f8928c1cc1b431e54da796f7aa29c7781ccca33b0183ad223ae88f47a4ff18
                      • Instruction Fuzzy Hash: EB414D36E012559BEB48DE1DC8C1AA6B7A2BF85210F1DC574DC988B30BD939D942C7D0
                      Function 05CB1890 Relevance: .1, Instructions: 102COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 13f8928c1cc1b431e54da796f7aa29c7781ccca33b0183ad223ae88f47a4ff18
                      • Instruction ID: 13c66242c98b1b06ca81eba68f9a8e04accfe51bee5972d991853c37a5f196fa
                      • Opcode Fuzzy Hash: 13f8928c1cc1b431e54da796f7aa29c7781ccca33b0183ad223ae88f47a4ff18
                      • Instruction Fuzzy Hash: 6A415E36A002959BEB48DE5DC8D1AA6B7A3EF85210F0DC974DC9C8B30BD938D942C7D0
                      Function 05CA85C8 Relevance: .1, Instructions: 97COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3899d4e3c0f614cfcf5feb85e251fbc96227725df1658236925792765df078eb
                      • Instruction ID: eb6559ddd47924aca5b748fe65632cc94965c77fd98efa65addb519c54468af2
                      • Opcode Fuzzy Hash: 3899d4e3c0f614cfcf5feb85e251fbc96227725df1658236925792765df078eb
                      • Instruction Fuzzy Hash: 9F313376614688EFDB01DF68C8819CEFBB2EB95310F25C6A5E8449B305C634EF46DB90
                      Function 05CA83B8 Relevance: .1, Instructions: 97COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2248989504ca69bc87bdaeaebb84ee3f0ca8a6a2177cc095031e741cdc4df57b
                      • Instruction ID: 1f2c563342a4a5f7563f4af84598ed87fed17bcc6b5287b78ff0427d1a12a3f3
                      • Opcode Fuzzy Hash: 2248989504ca69bc87bdaeaebb84ee3f0ca8a6a2177cc095031e741cdc4df57b
                      • Instruction Fuzzy Hash: 5E315376614688EFCB01DF68C8819CEFBB2EB95310F24C6A4E8449B305C634EF46DB90
                      Function 05CA84D8 Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 33cea22718931a720b7b5c25b26575e4c71996a9bb16ef21b53b62a83bc13087
                      • Instruction ID: 697f77f0e34a38bed64b048f7ab7a4853c2afc45b9389584d32017eeb9db0f64
                      • Opcode Fuzzy Hash: 33cea22718931a720b7b5c25b26575e4c71996a9bb16ef21b53b62a83bc13087
                      • Instruction Fuzzy Hash: C1313235714288EFDB01DE58C8829CDFBB2EB95210F64C6A1E8448B306C634EF46DB90
                      Function 05CA82C8 Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7f23074346049f0b9b7578224769836f77fa9ee9b864ff6208af8884c92afe46
                      • Instruction ID: c07249e5c22ba6288b5bbd5332481c5c1c4d50c3e593fe7f80549c31882f874f
                      • Opcode Fuzzy Hash: 7f23074346049f0b9b7578224769836f77fa9ee9b864ff6208af8884c92afe46
                      • Instruction Fuzzy Hash: 08313235714288EFDB01DE58C8829CDFBB2EB95210F64C6A0E8448B306C634EF46DB90
                      Function 05BFB96C Relevance: .1, Instructions: 64COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                      • Instruction ID: 59b6897f9b8186196f1d7c9dc4b102a6449decfd9a60c273082b1581007bf1c9
                      • Opcode Fuzzy Hash: d17ffc1b7c175c9f3f133bcf490b3ef334a0cf6f2a578ee1034f9dfeca47056c
                      • Instruction Fuzzy Hash: 8D018032B057210B874CDD7ECD9962AFAD7ABC8910F09C63D9689C76C8DD31881AC692
                      Function 05BF7C38 Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ae0e43f82692c6785844f3e70bb209c8b319b1924ab6e756aa91dc1deac9637f
                      • Instruction ID: 73e57bed493137c61c3b7e38d836c6b60a3a657779dcf89de1c017db3448686f
                      • Opcode Fuzzy Hash: ae0e43f82692c6785844f3e70bb209c8b319b1924ab6e756aa91dc1deac9637f
                      • Instruction Fuzzy Hash: 3BD012AA22910356F736C06D6DE0B630A47F74031CF35CCEDE506D5FC0D967E8988210
                      Function 05C2067C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 05C20685
                        • Part of subcall function 05C20650: GetProcAddress.KERNEL32(00000000), ref: 05C20669
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                      • API String ID: 1646373207-1918263038
                      • Opcode ID: fdfee9e4f17ba22b2ccd62c2e06e414315f0a063608208d2263bfc537c4b51a6
                      • Instruction ID: 1480ddb4345df6cdd33033851d7290699c32ad68eda4cd8ae2c7b4d6188f577f
                      • Opcode Fuzzy Hash: fdfee9e4f17ba22b2ccd62c2e06e414315f0a063608208d2263bfc537c4b51a6
                      • Instruction Fuzzy Hash: F2415EB57142245BA604AF6F248D5267BFCD3862147E08C0BB84CBAA44DE70EC425E6D
                      Function 05BF714C Relevance: 19.7, APIs: 13, Instructions: 189COMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(FFFFFFF5), ref: 05BF71FA
                      • GetStdHandle.KERNEL32(000000F6), ref: 05BF7205
                      • GetFileType.KERNEL32(00000000), ref: 05BF721D
                      • GetConsoleOutputCP.KERNEL32(00000000), ref: 05BF722F
                      • GetConsoleCP.KERNEL32(00000000), ref: 05BF7240
                      • GetFileType.KERNEL32(00000000), ref: 05BF738B
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: ConsoleFileHandleType$Output
                      • String ID:
                      • API String ID: 393880136-0
                      • Opcode ID: f48888875781232eb69a9619aec5e17e9ba482d2ee1a5884d0e6ab88f01139da
                      • Instruction ID: 48e70689c5c815d58c97a3c3f5e1c54176d56d00a7ac63761e76cbe44217e443
                      • Opcode Fuzzy Hash: f48888875781232eb69a9619aec5e17e9ba482d2ee1a5884d0e6ab88f01139da
                      • Instruction Fuzzy Hash: DF518361604201AAEF20EF648888B6A36A6FF45310F1486E5EF06CF2C5DF34E94EC765
                      Function 05C0318C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61windowregistryCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(MouseZ,Magellan MSWHEEL), ref: 05C031A4
                      • RegisterWindowMessageW.USER32(MSWHEEL_ROLLMSG), ref: 05C031B0
                      • RegisterWindowMessageW.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 05C031BF
                      • RegisterWindowMessageW.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 05C031CB
                      • SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 05C031E3
                      • SendMessageW.USER32(00000000,?,00000000,00000000), ref: 05C03207
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Message$Window$Register$Send$Find
                      • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                      • API String ID: 3569030445-3736581797
                      • Opcode ID: d65a3729a1e62572d11ea40f5ec9f0c20ace7a23fe9d0523ba009e9913d29c75
                      • Instruction ID: add941b993d731dd346517ba12eaf3d10759c20748d2d12697295a9af75d53be
                      • Opcode Fuzzy Hash: d65a3729a1e62572d11ea40f5ec9f0c20ace7a23fe9d0523ba009e9913d29c75
                      • Instruction Fuzzy Hash: 44117078344351BFE714DF65CC49B26B7E8EF49A50F106C25F9458B2C1E7B099419B60
                      Function 05C17660 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175threadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 05BF89A8: GetTickCount.KERNEL32 ref: 05BF89DF
                        • Part of subcall function 05BF89A8: GetTickCount.KERNEL32 ref: 05BF89F7
                        • Part of subcall function 05C16DE4: GetLocaleInfoW.KERNEL32(00000000,0000100B,?,00000100,00000000,00000000,?,05C176DF,?,?), ref: 05C16E02
                      • GetThreadLocale.KERNEL32(00000000,00000004,?,?), ref: 05C176FB
                      • EnumCalendarInfoW.KERNEL32(05C1754C,00000000,00000000,00000004,?,?), ref: 05C17706
                      • GetThreadLocale.KERNEL32(00000000,00000003,05C1754C,00000000,00000000,00000004,?,?), ref: 05C17736
                      • EnumCalendarInfoW.KERNEL32(05C175D8,00000000,00000000,00000003,05C1754C,00000000,00000000,00000004,?,?), ref: 05C17741
                      • GetThreadLocale.KERNEL32(00000000,00000004,?,?), ref: 05C177D2
                      • EnumCalendarInfoW.KERNEL32(05C1754C,00000000,00000000,00000004,?,?), ref: 05C177DD
                      • GetThreadLocale.KERNEL32(00000000,00000003,05C1754C,00000000,00000000,00000004,?,?), ref: 05C1780F
                      • EnumCalendarInfoW.KERNEL32(05C175D8,00000000,00000000,00000003,05C1754C,00000000,00000000,00000004,?,?), ref: 05C1781A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: InfoLocale$CalendarEnumThread$CountTick
                      • String ID: B.C.
                      • API String ID: 1601775584-621294921
                      • Opcode ID: 831ce8281538638d61043ac32d902bc6690df3cb9f11211ec797ea0e2d45e756
                      • Instruction ID: 873dfd97f00c1572958dec569dc1e025b07b191d279c32255c64cc13c58f4b52
                      • Opcode Fuzzy Hash: 831ce8281538638d61043ac32d902bc6690df3cb9f11211ec797ea0e2d45e756
                      • Instruction Fuzzy Hash: 305124B87106009FDB11EF78DC8AA6A3BA5FB45314F024A64F941EB791DE30AD02DF94
                      Function 05BFCAA4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      • EnterCriticalSection.KERNEL32(05E49B8C,00000000,05BFCBA8,?,?,?,00000000,?,05BFD470,00000000,05BFD4CF,?,?,00000000,00000000,00000000), ref: 05BFCAC2
                      • LeaveCriticalSection.KERNEL32(05E49B8C,05E49B8C,00000000,05BFCBA8,?,?,?,00000000,?,05BFD470,00000000,05BFD4CF,?,?,00000000,00000000), ref: 05BFCAE6
                      • LeaveCriticalSection.KERNEL32(05E49B8C,05E49B8C,00000000,05BFCBA8,?,?,?,00000000,?,05BFD470,00000000,05BFD4CF,?,?,00000000,00000000), ref: 05BFCAF5
                      • IsValidLocale.KERNEL32(00000000,00000002,05E49B8C,05E49B8C,00000000,05BFCBA8,?,?,?,00000000,?,05BFD470,00000000,05BFD4CF), ref: 05BFCB07
                      • EnterCriticalSection.KERNEL32(05E49B8C,00000000,00000002,05E49B8C,05E49B8C,00000000,05BFCBA8,?,?,?,00000000,?,05BFD470,00000000,05BFD4CF), ref: 05BFCB64
                      • LeaveCriticalSection.KERNEL32(05E49B8C,05E49B8C,00000000,00000002,05E49B8C,05E49B8C,00000000,05BFCBA8,?,?,?,00000000,?,05BFD470,00000000,05BFD4CF), ref: 05BFCB8D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: CriticalSection$Leave$Enter$LocaleValid
                      • String ID: en-GB,en,en-US,
                      • API String ID: 975949045-3021119265
                      • Opcode ID: 2226c2fa2b7d50fb38b6d956c013ae9ba8981e1414eeadac06b205e08a692a3b
                      • Instruction ID: 4265e6130a2aed6ec18958e29b09300d5879db87f46166d947035bbc73fdc29f
                      • Opcode Fuzzy Hash: 2226c2fa2b7d50fb38b6d956c013ae9ba8981e1414eeadac06b205e08a692a3b
                      • Instruction Fuzzy Hash: F521C32870C20C67DB11B7A89C09A2B7B9ADF88740F5004E1A340E7643DE76BC8D876E
                      Function 05C16E5C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 219threadCOMMON
                      Download Yara Rule
                      APIs
                      • IsValidLocale.KERNEL32(00000000,00000001,00000000,05C1714B,?,00000000,05D73558,00000000,00000000,00000000,?,05D76895,00000000,05D769A9,?,00000000), ref: 05C16E83
                      • GetThreadLocale.KERNEL32(00000000,00000001,00000000,05C1714B,?,00000000,05D73558,00000000,00000000,00000000,?,05D76895,00000000,05D769A9,?,00000000), ref: 05C16E8C
                        • Part of subcall function 05C16E30: GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,00000000,00000000,?,05C16F3C,?,?,?,05D76C4D,?,00000000,05D76C6A), ref: 05C16E43
                        • Part of subcall function 05C16DE4: GetLocaleInfoW.KERNEL32(00000000,0000100B,?,00000100,00000000,00000000,?,05C176DF,?,?), ref: 05C16E02
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Locale$Info$ThreadValid
                      • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                      • API String ID: 233154393-2493093252
                      • Opcode ID: 4bab85f8bc4a5dd920a0a2d9dba3bc36bb49e8a657d79352b7f17f042032b3ec
                      • Instruction ID: eb33601224681a8c3b17527acd874e726083612c3a851c0516824349a790ef23
                      • Opcode Fuzzy Hash: 4bab85f8bc4a5dd920a0a2d9dba3bc36bb49e8a657d79352b7f17f042032b3ec
                      • Instruction Fuzzy Hash: C37182747001099BDB05EBA4CC84ADF77B6EF4A300F608871ED059B745DA34DA06E7A9
                      Function 05BFEFA4 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 05BFF05C
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: c42c4c09cd1e30960370847d74720e0bba16118de88d78303fc8cbdbeede727e
                      • Instruction ID: 09e359f3c1301434e8865653bf85b951f1a0b26e699b660af15a9e9ee853b735
                      • Opcode Fuzzy Hash: c42c4c09cd1e30960370847d74720e0bba16118de88d78303fc8cbdbeede727e
                      • Instruction Fuzzy Hash: 9FA16F75A003099FDB24DFA8D885BBEBBF5FB88310F244169E645A7290DB70B949CF50
                      Function 05C22A74 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 05C22B0D
                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 05C22B29
                      • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 05C22B62
                      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 05C22BDF
                      • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 05C22BF8
                      • VariantCopy.OLEAUT32(?), ref: 05C22C2D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                      • String ID:
                      • API String ID: 351091851-3916222277
                      • Opcode ID: 4fd5d688ee938f22e5af32b0b2aac4544f534775fe67f9ab0540c3129bf8a76c
                      • Instruction ID: 9fe62739ef628b5c881bb8d9e17f7bc976c95b94f1c3f2e797aea97c1861a8e8
                      • Opcode Fuzzy Hash: 4fd5d688ee938f22e5af32b0b2aac4544f534775fe67f9ab0540c3129bf8a76c
                      • Instruction Fuzzy Hash: 57511879A0062D9BCB26DF58CC84BE9B3BDBF4C210F404AE5E549E7211D670AF849F61
                      Function 05BF8744 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,00000000), ref: 05BF875A
                      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 05BF8760
                      • GetLogicalProcessorInformation.KERNEL32(00000000,00000000,00000000,kernel32.dll,GetLogicalProcessorInformation,00000000), ref: 05BF8773
                      • GetLastError.KERNEL32(00000000,00000000,00000000,kernel32.dll,GetLogicalProcessorInformation,00000000), ref: 05BF877C
                      • GetLogicalProcessorInformation.KERNEL32(?,00000000,00000000,05BF87F0,?,00000000,00000000,00000000,kernel32.dll,GetLogicalProcessorInformation,00000000), ref: 05BF87A7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                      • String ID: GetLogicalProcessorInformation$kernel32.dll
                      • API String ID: 1184211438-812649623
                      • Opcode ID: b6f5c6219984ec327b1b84ea120b86d136a0a9bbaacefcebb89188e5a50b935f
                      • Instruction ID: fba8c0451356ea3526be0d8e7894bbc102a696f51f8d15a94f8a5909d860d8e6
                      • Opcode Fuzzy Hash: b6f5c6219984ec327b1b84ea120b86d136a0a9bbaacefcebb89188e5a50b935f
                      • Instruction Fuzzy Hash: 4411E235B08244AEEF10EBA5DC85B6EB7E9EB40714F2040E6F700E3551E735BA888754
                      Function 05BF99C4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05BF9A7D,?,?,?,?,05BF9B92,05BF687B,05BF68C2,?,?), ref: 05BF99FD
                      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05BF9A7D,?,?,?,?,05BF9B92,05BF687B,05BF68C2,?), ref: 05BF9A03
                      • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05BF9A7D,?,?,?), ref: 05BF9A1E
                      • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,05BF9A7D), ref: 05BF9A24
                      • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 05BF9A42
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: FileHandleWrite$Message
                      • String ID: Error$Runtime error at 00000000
                      • API String ID: 1570097196-2970929446
                      • Opcode ID: d814017a3604171e305498da7effae0c1b4fcdb128515a5353ca3c225e155f76
                      • Instruction ID: 277548a9e7414009f9652a30852f3ed9f7d447d9fab0b4269fb0542ef52a64b6
                      • Opcode Fuzzy Hash: d814017a3604171e305498da7effae0c1b4fcdb128515a5353ca3c225e155f76
                      • Instruction Fuzzy Hash: 62F0CD6076434079EF14B3A56C0BF7A2A68E740F18F146185F390990C0DBB070CEEBB1
                      Function 05BF567C Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000,?), ref: 05BF5712
                      • Sleep.KERNEL32(0000000A,00000000,?), ref: 05BF572C
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: c2b22f6afd52f2110195d5f6fe03ada1ec0c43aa404c938efcf9929b8ae4d47c
                      • Instruction ID: 68aa4aec107399e81871c828cacef5d0734325a19964836b43fe9e953b436f45
                      • Opcode Fuzzy Hash: c2b22f6afd52f2110195d5f6fe03ada1ec0c43aa404c938efcf9929b8ae4d47c
                      • Instruction Fuzzy Hash: 897104316053008FD725CF29D984B26BBD5EB85314F1482EAE6988B3D1E770B94ACB91
                      Function 05C17EE0 Relevance: 12.1, APIs: 8, Instructions: 97filewindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 05C17CE8: VirtualQuery.KERNEL32(?,?,0000001C,00000000,05C17E94), ref: 05C17D1B
                        • Part of subcall function 05C17CE8: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 05C17D3F
                        • Part of subcall function 05C17CE8: GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 05C17D5A
                        • Part of subcall function 05C17CE8: LoadStringW.USER32(00000000,0000FFEF,?,00000100), ref: 05C17DF5
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,05C18005), ref: 05C17F41
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 05C17F74
                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 05C17F86
                      • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 05C17F8C
                      • GetStdHandle.KERNEL32(000000F4,05C18020,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 05C17FA0
                      • WriteFile.KERNEL32(00000000,000000F4,05C18020,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 05C17FA6
                      • LoadStringW.USER32(00000000,0000FFD0,?,00000040), ref: 05C17FCA
                      • MessageBoxW.USER32(00000000,?,?,00002010), ref: 05C17FE4
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                      • String ID:
                      • API String ID: 135118572-0
                      • Opcode ID: 4311bbbe129359534458629aaa58e043e1f1dfad1301db4e2a78c3d3c1cfffec
                      • Instruction ID: 1ed48792586cd989c684480401b40d8a1241488455feb456caab0da25e2f9a23
                      • Opcode Fuzzy Hash: 4311bbbe129359534458629aaa58e043e1f1dfad1301db4e2a78c3d3c1cfffec
                      • Instruction Fuzzy Hash: 30318675744208BFEB14EBA4DC4AFAA7BECEB05700F5044A1BA04E71D0DEB06E44DB68
                      Function 05C2E8C4 Relevance: 12.1, APIs: 8, Instructions: 95synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 05C2E8D5
                      • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 05C2E8FC
                      • LeaveCriticalSection.KERNEL32(?,00000000,05C2E9BE,?,00000000,00000000,00000000,00000000), ref: 05C2E943
                      • WaitForSingleObject.KERNEL32(?,00000001,?,00000000,05C2E9BE,?,00000000,00000000,00000000,00000000), ref: 05C2E950
                      • SetLastError.KERNEL32(000005B4,?,00000001,?,00000000,05C2E9BE,?,00000000,00000000,00000000,00000000), ref: 05C2E96A
                      • SetLastError.KERNEL32(00000000,?,00000001,?,00000000,05C2E9BE,?,00000000,00000000,00000000,00000000), ref: 05C2E97D
                      • EnterCriticalSection.KERNEL32(?,?,00000001,?,00000000,05C2E9BE,?,00000000,00000000,00000000,00000000), ref: 05C2E986
                      • CloseHandle.KERNEL32(?,05C2E9C9,?,00000000,05C2E9BE,?,00000000,00000000,00000000,00000000), ref: 05C2E9B8
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: CriticalErrorLastSection$CloseCreateCurrentEnterEventHandleLeaveObjectSingleThreadWait
                      • String ID:
                      • API String ID: 28720170-0
                      • Opcode ID: 2dad610592b446d3c75c910133c4541bde178d1018d4414ff88c50eac7cf71f3
                      • Instruction ID: c466026c6d6cfa75238a9575bd65618dd57e97439013cfa520079b586b267088
                      • Opcode Fuzzy Hash: 2dad610592b446d3c75c910133c4541bde178d1018d4414ff88c50eac7cf71f3
                      • Instruction Fuzzy Hash: 73317275B04218EFDF41EBA9C848BADF7F9EB48310F158896E504E7390D674AE009BA4
                      Function 05BF5874 Relevance: 10.9, APIs: 7, Instructions: 407COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 56adced7746879383408d91f24ce0435e319b62152ad377c3f6b68c4e0ff3ce3
                      • Instruction ID: c28ba6bf01f9d0f945ea911e3afa6d5863714a35355bd2fabcfd5294cec4d6dd
                      • Opcode Fuzzy Hash: 56adced7746879383408d91f24ce0435e319b62152ad377c3f6b68c4e0ff3ce3
                      • Instruction Fuzzy Hash: CCC125727146040BE728DA7DEC8876EB7C6EBC4221F1882B9E355CB3C5DA64E94E8750
                      Function 05BF89A8 Relevance: 10.6, APIs: 7, Instructions: 131threadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 05BF8DD8: GetCurrentThreadId.KERNEL32 ref: 05BF8DDB
                      • GetTickCount.KERNEL32 ref: 05BF89DF
                      • GetTickCount.KERNEL32 ref: 05BF89F7
                      • GetCurrentThreadId.KERNEL32 ref: 05BF8A27
                      • GetTickCount.KERNEL32 ref: 05BF8A52
                      • GetTickCount.KERNEL32 ref: 05BF8A89
                      • GetTickCount.KERNEL32 ref: 05BF8AB3
                      • GetCurrentThreadId.KERNEL32 ref: 05BF8B23
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: CountTick$CurrentThread
                      • String ID:
                      • API String ID: 3968769311-0
                      • Opcode ID: 825f0ec7681f099ae8140d4e80f83722771d0b3c40952b029f5a3a1865b8f856
                      • Instruction ID: 9361da8caae2a1eea4127b7bd47db5471bf146f06cd176228a22e01e415873e3
                      • Opcode Fuzzy Hash: 825f0ec7681f099ae8140d4e80f83722771d0b3c40952b029f5a3a1865b8f856
                      • Instruction Fuzzy Hash: 954174722083819ED721DE7CC48472FBBD2FF84354F1489ACE6D987281E775A4898762
                      Function 05BF52F8 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000,?,05BF5B98), ref: 05BF53AF
                      • Sleep.KERNEL32(0000000A,00000000,?,05BF5B98), ref: 05BF53C5
                      • Sleep.KERNEL32(00000000,?,?,?,05BF5B98), ref: 05BF53F3
                      • Sleep.KERNEL32(0000000A,00000000,?,?,?,05BF5B98), ref: 05BF5409
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: ac94c144a8049b024e47e778e1a717a8fbb74379ceac87a3e568e8a849c5228f
                      • Instruction ID: a2626d2dedc9ffffb73176c20d079988923cafdf49bf5ddad235b3e4b7c96682
                      • Opcode Fuzzy Hash: ac94c144a8049b024e47e778e1a717a8fbb74379ceac87a3e568e8a849c5228f
                      • Instruction Fuzzy Hash: 4CC11676A143504BD725CF29E884726BFA1FB85314F0982E9E6898B3C5DB70B54ACBD0
                      Function 05C17CE8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                      • VirtualQuery.KERNEL32(?,?,0000001C,00000000,05C17E94), ref: 05C17D1B
                      • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 05C17D3F
                      • GetModuleFileNameW.KERNEL32(MZP,?,00000105), ref: 05C17D5A
                      • LoadStringW.USER32(00000000,0000FFEF,?,00000100), ref: 05C17DF5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: FileModuleName$LoadQueryStringVirtual
                      • String ID: MZP
                      • API String ID: 3990497365-2889622443
                      • Opcode ID: b6387bbfa6e49ad6fd7f6bbed47c5348987c1c8793293f00c9c9305640f69180
                      • Instruction ID: 9d653258e1da0266031a2d673f57f4701399aaf643cf92665197a58d368740d4
                      • Opcode Fuzzy Hash: b6387bbfa6e49ad6fd7f6bbed47c5348987c1c8793293f00c9c9305640f69180
                      • Instruction Fuzzy Hash: D9413D70A0025C9FDB20EF68CD85B9AB7F9EB4A310F4044E5E908E7241DB759E989F54
                      Function 05C2DEF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(?), ref: 05C2DF15
                      • FindWindowExW.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 05C2DF46
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 05C2DF7F
                      • GetCurrentThreadId.KERNEL32 ref: 05C2DF86
                        • Part of subcall function 05BFEF0C: TlsGetValue.KERNEL32(0000002B,0000002B,05BF6836,?,05BF9AE1,?,?,?,?,05BF9B92,05BF687B,05BF68C2,?,?,05BF68DB), ref: 05BFEF31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Window$Thread$CurrentFindProcessValue
                      • String ID: OleMainThreadWndClass
                      • API String ID: 973455579-3883841218
                      • Opcode ID: 47491051ff74d7aa81f52851348997f227dc18865ce6eac697fcc3e4bf05cc1e
                      • Instruction ID: 0ba573db14287d183c146edb20b3cd8ff600e02e4a7bf5e03617dbc71a1198b6
                      • Opcode Fuzzy Hash: 47491051ff74d7aa81f52851348997f227dc18865ce6eac697fcc3e4bf05cc1e
                      • Instruction Fuzzy Hash: B1015239304610EEE750BBA9D84CF793399AF41255F0649F1F6068B1E1C734AC468B2A
                      Function 05C28A58 Relevance: 7.8, APIs: 5, Instructions: 332COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0bd7ce4060c400f9545baf40f9cd173a47bf4da7ecd94fca0292fe38c1211753
                      • Instruction ID: c1c55148c5c81e3ed160b3af246dc8f70e5b3ad8a7e5e55d2298cba9697d50d9
                      • Opcode Fuzzy Hash: 0bd7ce4060c400f9545baf40f9cd173a47bf4da7ecd94fca0292fe38c1211753
                      • Instruction Fuzzy Hash: 25D1A039A00269EFCF00EF94C4818FDBBB6EF49710F5448A5E840A7255D734AE46EB64
                      Function 05C2DFCC Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 05C2DEF8: IsWindow.USER32(?), ref: 05C2DF15
                        • Part of subcall function 05C2DEF8: FindWindowExW.USER32(00000000,00000000,OleMainThreadWndClass,00000000), ref: 05C2DF46
                        • Part of subcall function 05C2DEF8: GetWindowThreadProcessId.USER32(?,00000000), ref: 05C2DF7F
                        • Part of subcall function 05C2DEF8: GetCurrentThreadId.KERNEL32 ref: 05C2DF86
                      • MsgWaitForMultipleObjectsEx.USER32(?,?,?,000004BF,?), ref: 05C2DFFA
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 05C2E015
                      • TranslateMessage.USER32(?), ref: 05C2E022
                      • DispatchMessageW.USER32(?), ref: 05C2E02B
                      • WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,00000000), ref: 05C2E057
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: MessageWindow$MultipleObjectsThreadWait$CurrentDispatchFindPeekProcessTranslate
                      • String ID:
                      • API String ID: 2725875890-0
                      • Opcode ID: 216454d5442df386493bd19b617ac0e0bcc518c3fceec15c5bee390aadb05aff
                      • Instruction ID: 590d2f409e94b3d4ba7224fd55e1d29881aa123e7da02a347b51aca11c821a10
                      • Opcode Fuzzy Hash: 216454d5442df386493bd19b617ac0e0bcc518c3fceec15c5bee390aadb05aff
                      • Instruction Fuzzy Hash: 70217476604229ABEB10DEA4CC89FAF73ADFB09350F100925EA05E7280D679D941D7A1
                      Function 05C12E68 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(00000000,?,?,?,05E377AD,00000000,05E37A80), ref: 05C12E79
                      • GetLastError.KERNEL32(00000000,?,?,?,05E377AD,00000000,05E37A80), ref: 05C12ED2
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: AttributesErrorFileLast
                      • String ID:
                      • API String ID: 1799206407-0
                      • Opcode ID: 57f40adc82a1bd243a03b860d1ca5f070e79bb0b7d21f07d9713a0d2c63a1024
                      • Instruction ID: a3371faeb17728bdf52da4f066d98d9394d0d1936e5aab3b3fecdad7de3f2412
                      • Opcode Fuzzy Hash: 57f40adc82a1bd243a03b860d1ca5f070e79bb0b7d21f07d9713a0d2c63a1024
                      • Instruction Fuzzy Hash: 0401A22D30830065EF75617B4CCD77E02465F475A2F281D51EE93A65E0D6554683317D
                      Function 05C12F00 Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileW.KERNEL32(00000000,?,?,00000000,00000000,05CF28EC,?,?,00000000,00000000), ref: 05C12F10
                      • GetLastError.KERNEL32(00000000,?,?,00000000,00000000,05CF28EC,?,?,00000000,00000000), ref: 05C12F1F
                      • GetFileAttributesW.KERNEL32(00000000,00000000,?,?,00000000,00000000,05CF28EC,?,?,00000000,00000000), ref: 05C12F27
                      • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,05CF28EC,?,?,00000000,00000000), ref: 05C12F42
                      • SetLastError.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,05CF28EC,?,?,00000000,00000000), ref: 05C12F50
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                      • String ID:
                      • API String ID: 2814369299-0
                      • Opcode ID: ea1832bbaa03a3fcc9bbc1c0c178f3bfd83a0b16cac517c70e3ed73c69543b45
                      • Instruction ID: 54997be8ecac8946c44efac25ee17ad06d38e67d11ba3c1e7e1e5ecfb32598b6
                      • Opcode Fuzzy Hash: ea1832bbaa03a3fcc9bbc1c0c178f3bfd83a0b16cac517c70e3ed73c69543b45
                      • Instruction Fuzzy Hash: FFF0E51D3052602A6A6035BE6CCCB7F114CDA43469F041F75FE9EC21E0EA15990E316D
                      Function 05C15640 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,05C15725), ref: 05C156C6
                      • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,05C15725), ref: 05C156CC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: DateFormatLocaleThread
                      • String ID: $yyyy
                      • API String ID: 3303714858-404527807
                      • Opcode ID: d6c0b060dd98b589cd6f80c9e9de894da18d8d0b467dbe618c5c0e3420e97174
                      • Instruction ID: b0cd8566c7bb79dc689d1bf2fd28d60b4a5c025aa3a4ee3b84cf21647d78108f
                      • Opcode Fuzzy Hash: d6c0b060dd98b589cd6f80c9e9de894da18d8d0b467dbe618c5c0e3420e97174
                      • Instruction Fuzzy Hash: 68219235A10618EFDB15EB94C985AADB3F9EF4A300F5108A5ED05E7350E630EF04DBA5
                      Function 05BFC988 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetThreadUILanguage.KERNEL32(?,00000000), ref: 05BFC999
                      • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 05BFC9F7
                      • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 05BFCA54
                      • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 05BFCA87
                        • Part of subcall function 05BFC944: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,05BFCA05), ref: 05BFC95B
                        • Part of subcall function 05BFC944: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,05BFCA05), ref: 05BFC978
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Thread$LanguagesPreferred$Language
                      • String ID:
                      • API String ID: 2255706666-0
                      • Opcode ID: 123d3d85021ea310501236120ec4f76e930e5631b487bf2a20957ecd251c4e35
                      • Instruction ID: 40a6f6b034677fa15f9b3a7876c94c2eba7467d8fbb39d28b7a72ba20c64ff6f
                      • Opcode Fuzzy Hash: 123d3d85021ea310501236120ec4f76e930e5631b487bf2a20957ecd251c4e35
                      • Instruction Fuzzy Hash: 32317030E1421E9BDB10DFE8C884AEEBBB5FF04310F1041A5D651E7285D774AE49CB60
                      Function 05BF60E4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 285windowCOMMON
                      Download Yara Rule
                      APIs
                      • MessageBoxA.USER32(00000000,?,05BF4D30,00002010), ref: 05BF64D8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: Message
                      • String ID: $7
                      • API String ID: 2030045667-2388253531
                      • Opcode ID: d1190bf9f39455935c0c660d8ce85e512d204337b770b358ebc976228a41a4b2
                      • Instruction ID: 19c3969df98c94543712af8f111863162dd7cc3defbd51e9d1263117a98e455d
                      • Opcode Fuzzy Hash: d1190bf9f39455935c0c660d8ce85e512d204337b770b358ebc976228a41a4b2
                      • Instruction Fuzzy Hash: 89B1A130B042548BDF21EF2CC884BA9BBE5FB09644F5441E5EA89D7241DF71A9CACF91
                      Function 05BF60E2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID:
                      • String ID: $7
                      • API String ID: 0-2388253531
                      • Opcode ID: ccba39ed914d1db7249a46400e0decfdee6f9baf1026cd34620eee6988d2cfb6
                      • Instruction ID: a915650759a062bdb7d3c52a701bbbe99a6571e34de90ef1a8305fb8e341bf36
                      • Opcode Fuzzy Hash: ccba39ed914d1db7249a46400e0decfdee6f9baf1026cd34620eee6988d2cfb6
                      • Instruction Fuzzy Hash: D8816F34B042988FDF21EF2DC884BA9BBE5FB09604F1441E5EA89D7241DB71698ACB51
                      Function 05C2E0B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(ole32.dll,?,05C2E14A), ref: 05C2E0B6
                        • Part of subcall function 05C02538: GetProcAddress.KERNEL32(?,?), ref: 05C0255C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3376326936.0000000005BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 05BF0000, based on PE: true
                      • Associated: 00000000.00000002.3376294600.0000000005BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378320990.0000000005E41000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378355903.0000000005E42000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378387568.0000000005E43000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378437941.0000000005E4B000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378471054.0000000005E4F000.00000008.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378500814.0000000005E51000.00000004.00000001.01000000.00000005.sdmpDownload File
                      • Associated: 00000000.00000002.3378536093.0000000005E52000.00000002.00000001.01000000.00000005.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_5bf0000_SecuriteInfo.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: CoWaitForMultipleHandles$ole32.dll
                      • API String ID: 1646373207-2593175619
                      • Opcode ID: 72e8ddc85393abc14c48e9f15ac95aa40633e0b818af69ce841d66299ca86ce2
                      • Instruction ID: 5d45a464cc9d546b04d7683703776d9db5d7d8419db3ddd6f0447385443a6818
                      • Opcode Fuzzy Hash: 72e8ddc85393abc14c48e9f15ac95aa40633e0b818af69ce841d66299ca86ce2
                      • Instruction Fuzzy Hash: E8D05EA86043318BDA106AA2A88E625395C6304108B046C34B14126041DF70C44BFF26